Configuration, Command, and File Reference
Updated for Directory Server 9.1.2
Abstract
Deprecated Documentation
Important
About This Reference
1. Directory Server Overview
- An LDAP server – The LDAP v3-compliant network daemon.
- Directory Server Console – A graphical management console that dramatically reduces the effort of setting up and maintaining your directory service.
- SNMP agent – Can monitor the Directory Server using the Simple Network Management Protocol (SNMP).
2. Examples and Formatting
2.1. Command and File Examples
Example 1. Example Command
service dirsrv start
2.2. Brackets
[]) are used to indicate an alternative element in a name. For example, if a tool is available in /usr/lib on 32-bit systems and in /usr/lib64 on 64-bit systems, then the tool location may be represented as /usr/lib[64].
2.3. Client Tool Information
/usr/bin and the /usr/sbin directories.
Important
ldapmodify and ldapsearch from OpenLDAP use SASL connections by default. To perform a simple bind using a user name and password, use the -x argument to disable SASL.
2.4. Text Formatting and Styles
| Formatting Style | Purpose |
|---|---|
Monospace font | Monospace is used for commands, package names, files and directory paths, and any text displayed in a prompt. |
Monospace with a background | This type of formatting is used for anything entered or returned in a command prompt. |
| Italicized text | Any text which is italicized is a variable, such as instance_name or hostname. Occasionally, this is also used to emphasize a new term or other phrase. |
| Bolded text | Most phrases which are in bold are application names, such as Cygwin, or are fields or options in a user interface, such as a User Name Here: field or button. |
Note
Important
Warning
3. Additional Reading
- Red Hat Directory Server Release Notes contain important information on new features, fixed bugs, known issues and workarounds, and other important deployment information for this specific version of Directory Server.
- Red Hat Directory Server Deployment Guide provides an overview for planning a deployment of the Directory Server.
- Red Hat Directory Server Administrator's Guide contains procedures for the day-to-day maintenance of the directory service. Includes information on configuring server-side plug-ins.
- Red Hat Directory Server Configuration, Command, and File Reference provides reference information on the command-line scripts, configuration attributes, schema elements, and log files shipped with Directory Server.
- Red Hat Directory Server Installation Guide contains procedures for installing your Directory Server as well as procedures for migrating from a previous installation of Directory Server.
- Red Hat Directory Server Plug-in Programmer's Guide describes how to write server plug-ins in order to customize and extend the capabilities of Directory Server.
- The Red Hat Directory Server Performance Tuning Guide contains features to monitor overall Directory Server and database performance, to tune attributes for specific operations, and to tune the server and database for optimum performance.
4. Giving Feedback
- Select the Red Hat Directory Server product.
- Set the component to
Doc - cli-guide. - Set the version number to 9.0.
- For errors, give the page number (for the PDF) or URL (for the HTML), and give a succinct description of the problem, such as incorrect procedure or typo.For enhancements, put in what information needs to be added and why.
- Give a clear title for the bug. For example,
"Incorrect command example for setup script options"is better than"Bad example".
Chapter 1. Introduction
ns-slapd process or service on the machine. The server manages the directory databases and responds to client requests.
1.1. Directory Server Configuration
1.2. Directory Server Instance File Reference
1.3. Using Directory Server Command-Line Utilities
ns-slapd command-line utilities for performing directory operations, as described in Appendix A, Using the ns-slapd Command-Line Utilities.
1.4. Using Directory Server Command-Line Scripts
Chapter 2. Server Instance File Reference
/etc/dirsrv/slapd-instance_name directory.[1] Having an overview of the files and configuration information stored in each instance of Directory Server helps with understanding the file changes (or lack of file changes) which occur in the course of directory activity. It can also help to detect errors and intrusion by indicating what kind of changes to expect and, as a result, what changes are abnormal.
2.1. Overview of Directory Server Files
Note
/etc/dirsrv/slapd-instance_name. If the Directory Server in a different platform, adjust the paths accordingly.
Table 2.1. Red Hat Enterprise Linux 4 and 5 (x86)
| File or Directory | Location | ||
|---|---|---|---|
| Backup files | /var/lib/dirsrv/slapd-instance_name/bak | ||
| Configuration files | /etc/dirsrv/slapd-instance_name | ||
| Database files | /var/lib/dirsrv/slapd-instance_name/db | ||
| LDIF files | /var/lib/dirsrv/slapd-instance_name/ldif | ||
| Lock files | /var/lock/dirsrv/slapd-instance_name | ||
| Log files | /var/log/dirsrv/slapd-instance_name | ||
| PID files | /var/run/dirsrv | ||
| Tools |
| ||
| Instance directory | /etc/dirsrv/slapd-instance_name |
Table 2.2. Red Hat Enterprise Linux 4 and 5 (x86_64)
| File or Directory | Location | |||
|---|---|---|---|---|
| Backup files | /var/lib/dirsrv/slapd-instance_name/bak | |||
| Configuration files | /etc/dirsrv/slapd-instance_name | |||
| Database files | /var/lib/dirsrv/slapd-instance_name/db | |||
| LDIF files | /var/lib/dirsrv/slapd-instance_name/ldif | |||
| Lock file | /var/lock/dirsrv/slapd-instance_name | |||
| Log files | /var/log/dirsrv/slapd-instance_name | |||
| PID | /var/run/dirsrv | |||
| Tools |
| |||
| Instance directory | /usr/lib64/dirsrv/slapd-instance |
2.2. Configuration Files
/etc/dirsrv/slapd-instance_name directory.
2.2.1. Overview of the Directory Server Configuration
cn=config. When the server is started, the contents of the cn=config subtree are read from a file (dse.ldif) in LDIF format. This dse.ldif file contains all of the server configuration information. The latest version of this file is called dse.ldif, the version prior to the last modification is called dse.ldif.bak, and the latest file with which the server successfully started is called dse.ldif.startOK.
cn=plugins,cn=config. For example, the configuration of the Telephone Syntax Plug-in is contained in this entry:
cn=Telephone Syntax,cn=plugins,cn=config
cn=ldbm database,cn=plugins,cn=config for local databases and cn=chaining database,cn=plugins,cn=config for database links.
cn=config directory information tree.

Figure 2.1. Directory Information Tree Showing Configuration Data
2.2.1.1. LDIF and Schema Configuration Files
/etc/dirsrv/slapd-instance_name directory. Thus, if a server identifier is phonebook, then for a Directory Server on Red Hat Enterprise Linux 5 (64-bit), the configuration LDIF files are all stored under /etc/dirsrv/slapd-phonebook.
/etc/dirsrv/schema directory.
Table 2.3. Directory Server LDIF Configuration Files
2.2.1.2. How the Server Configuration Is Organized
dse.ldif file contains all configuration information including directory-specific entries created by the directory at server startup, such as entries related to the database. The file includes the root Directory Server entry (or DSE, named by "") and the contents of cn=config and cn=monitor.
dse.ldif file, it lists the entries in hierarchical order in the order that the entries appear in the directory under cn=config, which is usually the same order in which an LDAP search of subtree scope for base cn=config returns the entries.
dse.ldif also contains the cn=monitor entry, which is mostly read-only, but can have ACIs set on it.
Note
dse.ldif file does not contain every attribute in cn=config. If the attribute has not been set by the administrator and has a default value, the server will not write it to dse.ldif. To see every attribute in cn=config, use ldapsearch.
2.2.1.2.1. Configuration Attributes
dse.ldif file for a Directory Server. The example shows, among other things, that schema checking has been enabled; this is represented by the attribute nsslapd-schemacheck, which takes the value on.
dn: cn=config objectclass: top objectclass: extensibleObject objectclass: nsslapdConfig nsslapd-accesslog-logging-enabled: on nsslapd-enquote-sup-oc: off nsslapd-localhost: phonebook.example.com nsslapd-schemacheck: on nsslapd-port: 389 nsslapd-localuser: nobody ...
2.2.1.2.2. Configuration of Plug-in Functionality
cn=plugins,cn=config. The following code sample is an example of the configuration entry for an example plug-in, the Telephone Syntax plug-in.
dn: cn=Telephone Syntax,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: Telephone Syntax nsslapd-pluginType: syntax nsslapd-pluginEnabled: on
ldapsearch on the cn=config subtree.
2.2.1.2.3. Configuration of Databases
o=NetscapeRoot and cn=UserRoot subtrees under the database plug-in entry contain configuration data for the databases containing the o=NetscapeRoot suffix and the default suffix created during setup, such as dc=example,dc=com.
2.2.1.2.4. Configuration of Indexes
- cn=index,o=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
- cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=config
- cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
2.2.2. Accessing and Modifying Server Configuration
2.2.2.1. Access Control for Configuration Entries
cn=config. The following code sample is an example of these default ACIs.
aci: (targetattr = "*")(version 3.0; acl "Configuration Administrators Group"; allow (all)
groupdn = "ldap:///cn=Configuration Administrators,u=Groups,ou=TopologyManagement,o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator"; allow (all)
userdn = "ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group"; allow (all)
groupdn = "ldap:///ou=Directory Administrators,dc=example,dc=com";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow(all)
groupdn = "ldap:///cn=slapd-phonebook,cn=Red Hat Directory Server,
cn=Server Group,cn=phonebook.example.com,dc=example,dc=com,o=NetscapeRoot";)
- Members of the Configuration Administrators group.
- The user acting as the administrator, the
adminaccount that was configured at setup. By default, this is the same user account which is logged into the Console. - Members of local Directory Administrators group.
- The SIE (Server Instance Entry) group, usually assigned using the Set Access Permissions process the main console.
2.2.2.2. Changing Configuration Attributes
ldapsearch and ldapmodify commands, or by manually editing the dse.ldif file.
Note
dse.ldif file, the server must be stopped; otherwise, the changes are lost. Editing the dse.ldif file is recommended only for changes to attributes which cannot be altered dynamically. See Section 2.2.2.2.3, “Configuration Changes Requiring Server Restart” for further information.
2.2.2.2.1. Modifying Configuration Entries Using LDAP
ldapsearch and ldapmodify operations in the same way as other directory entries. The advantage of using LDAP to modify entries is changes can be made while the server is running.
Note
cn=config subtree as this risks affecting Directory Server functionality.
ldapsearch operation on the cn=config subtree:
ldapsearch -D "cn=directory manager" -W -p 389 -h server.example.com -b "cn=config" -s sub -x "(objectclass=*)"
- bindDN is the DN chosen for the Directory Manager when the server was installed (
cn=Directory Managerby default). - password is the password chosen for the Directory Manager.
ldapmodify to edit the nsslapd-pluginEnabled attribute:
ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x dn: cn=Telephone Syntax,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: off
2.2.2.2.2. Restrictions to Modifying Configuration Entries and Attributes
- The
cn=monitorentry and its child entries are read-only and cannot be modified, except to manage ACIs. - If an attribute is added to
cn=config, the server ignores it. - If an invalid value is entered for an attribute, the server ignores it.
- Because
ldapdeleteis used for deleting an entire entry, useldapmodifyto remove an attribute from an entry.
2.2.2.2.3. Configuration Changes Requiring Server Restart
dse.ldif file. Some of the attributes that require a server restart for any changes to take effect are listed below. This list is not exhaustive; to see a complete list, run ldapsearch and search for the nsslapd-requiresrestart attribute. For example:
ldapsearch -D "cn=directory manager" -W -p 389 -h server.example.com -b "cn=config" -s sub -x "(objectclass=*)" | grep nsslapd-requiresrestart
| nsslapd-cachesize | nsslapd-certdir |
| nsslapd-dbcachesize | nsslapd-dbncache |
| nsslapd-plugin | nsslapd-changelogdir |
| nsslapd-changelogmaxage | nsslapd-changelogmaxentries |
| nsslapd-port | nsslapd-schemadir |
| nsslapd-saslpath | nsslapd-secureport |
| nsslapd-tmpdir | nsSSL2 |
| nsSSL3 | nsSSLclientauth |
| nsSSLSessionTimeout | nsslapd-conntablesize |
| nsslapd-lockdir | nsslapd-maxdescriptors |
| nsslapd-reservedescriptors | nsslapd-listenhost |
| nsslapd-schema-ignore-trailing-spaces | nsslapd-securelistenhost |
| nsslapd-workingdir | nsslapd-return-exact-case |
| nsslapd-maxbersize[a] | |
[a]
Although this attribute requires a restart, it is not returned in the search.
| |
2.2.2.2.4. Deleting Configuration Attributes
dse.ldif file, because they all have default values used by the server. Deleting any of those attributes is generally not allowed because the server requires that those attributes be present for it to run.
nsslapd-allowed-to-delete-attrs parameter lists core configuration attributes which are allowed to be deleted from the configuration. Delete operations for those attributes will succeed.
nsslapd-allowed-to-delete-attrs is a space-separated list of attribute names. By default, only two attributes are listed:
nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost
Warning
2.3. Database Files
/var/lib/dirsrv/slapd-instance_name/db directory for storing all of the database files. The following is a sample listing of the /var/lib/dirsrv/slapd-instance_name/db directory contents.
Example 2.1. Database Directory Contents
__db.001 __db.003 __db.005 NetscapeRoot/ __db.002 __db.004 DBVERSION log.0000000007 userRoot/
db.00xfiles — Used internally by the database and should not be moved, deleted, or modified in any way.log.xxxxxxxxxxfiles — Used to store the transaction logs per database.DBVERSION— Used for storing the version of the database.NetscapeRoot— Stores theo=NetscapeRootdatabase created by default when thesetup-ds-admin.plscript is run.userRoot— Stores the user-defined suffix (user-defined databases) created at setup; for example,dc=example,dc=com.
Note
testRoot) to store the directory tree under a new suffix, the directory named testRoot also appears in the /var/lib/dirsrv/slapd-instance_name/db directory.
NetscapeRoot directory contents.
Example 2.2. NetscapeRoot Database Directory Contents
./ entrydn.db4* parentid.db4* ../ givenName.db4* sn.db4* DBVERSION* id2entry.db4* uid.db4* aci.db4* nsUniqueId.db4* uniquemember.db4* ancestorid.db4* numsubordinates.db4* cn.db4* objectclass.db4*
NetscapeRoot subdirectories contain an index_namedb4 file for every index currently defined in the database. In addition to these files, the NetscapeRoot and userRoot subdirectories contain the following files:
ancestorid.db4— Contains a list of IDs to find the ID of the entry's ancestor.entrydn.db4— Contains a list of full DNs to find any ID.id2entry.db4— Contains the actual directory database entries. All other database files can be recreated from this one, if necessary.nsuniqueid.db4— Contains a list of unique IDs to find any ID.numsubordinates.db4— Contains IDs that have child entries.objectclass.db4— Contains a list of IDs which have a particular object class.parentid.db4— Contains a list of IDs to find the ID of the parent.
2.4. LDIF Files
/var/lib/dirsrv/slapd-instance_name/ldif directory for storing LDIF-related files. Example 2.3, “LDIF Directory Contents” lists the /ldif directory contents.
Example 2.3. LDIF Directory Contents
European.ldif Example.ldif Example-roles.ldif Example-views.ldif
European.ldif— Contains European character samples.Example.ldif— Is a sample LDIF file.Example-roles.ldif— Is a sample LDIF file similar toExample.ldif, except that it uses roles and class of service instead of groups for setting access control and resource limits for directory administrators.
Note
db2ldif or db2ldif.pl scripts in the instance directory are stored in /var/lib/dirsrv/slapd-instance_name/ldif.
2.5. Lock Files
/var/lock/dirsrv/slapd-instance_name directory for storing lock-related files. The following is a sample listing of the locks directory contents.
Example 2.4. Lock Directory Contents
exports/ imports/ server/
imports/ directory to prevent any other ns-slapd (normal), ldif2db (another import), or db2ldif (export) operations from running. If the server is running as normal, there is a lock in the server/ directory, which prevents import operations (but not export operations), while if there is an export operation, the lock in the exports/ directory allows normal server operations but prevents import operations.
nsslapd-db-locks attribute. Tuning that attribute value is described in the Performance Tuning Guide.
2.6. Log Files
/var/log/dirsrv/slapd-instance_name directory for storing log files. The following is a sample listing of the /logs directory contents.
Example 2.5. Log Directory Contents
access access.20170228-171925 errors access.20170221-162824 access.rotationinfo errors.20170221-162824 access.20170223-171949 audit errors.rotationinfo access.20170227-171818 audit.rotationinfo slapd.stats
- The content of the
access,audit, anderrorlog files is dependent on the log configuration. - The
slapd.statsfile is a memory-mapped file which cannot be read by an editor. It contains data collected by the Directory Server SNMP data collection component. This data is read by the SNMP subagent in response to SNMP attribute queries and is communicated to the SNMP master agent responsible for handling Directory Server SNMP requests.
2.7. PID Files
slapd-serverID.pid and slapd-serverID.startpid files are created in the /var/run/dirsrv directory when the server is up and running. Both files store the server's process ID.
2.8. Tools
/usr/bin/usr/sbin
Example 2.6. /bin Contents
dbscan ldif dbscan-bin ldif-bin
Example 2.7. /sbin Contents
ds_removal migrate-ds-admin.pl remove-ds.pl setup-ds-admin.pl ds_unregister register-ds-admin.pl remove-ds-admin.pl setup-ds.pl
2.9. Scripts
/etc/dirsrv/slapd-instance_name directory. The contents of the /etc/dirsrv/slapd-instance_name directory are listed in Example 2.8, “Instance Directory Contents”. Chapter 9, Command-Line Scripts has more information on command-line scripts.
Example 2.8. Instance Directory Contents
bak2db db2index.pl ldif2db.pl ns-inactivate.pl start-slapd bak2db.pl db2ldif ldif2ldap ns-newpwpolicy.pl stop-slapd db2bak db2ldif.pl monitor restart-slapd suffix2instance db2bak.pl dbverify ns-accountstatus.pl restoreconfig verify-db.pl db2index ldif2db ns-activate.pl saveconfig vlvindex
2.10. Backup Files
/var/lib/dirsrv/slapd-instance_name/bak— This contains a directory dated with the instance_name, time and date of the database backup, such asinstance_name-2017_05_02_16_56_05/, which in turn holds the database backup copy./etc/dirsrv/slapd-instance_name/dse_original.ldif— This is a backup copy of thedse.ldifconfiguration file from the time of installation.
/lib directory only applies to Red Hat Enterprise Linux 32-bit systems. On Red Hat Enterprise Linux 64-bit systems, the directory is /lib64.
Chapter 3. Core Server Configuration Reference
3.1. Core Server Configuration Attributes Reference
dse.ldif file is organized as an information tree under the general configuration entry cn=config, as shown in the following diagram.

Figure 3.1. Directory Information Tree Showing Configuration Data
cn=plugins node is covered in Chapter 4, Plug-in Implemented Server Functionality Reference. The description of each attribute contains details such as the DN of its directory entry, its default value, the valid range of values, and an example of its use.
Note
3.1.1. cn=config
cn=config entry. The cn=config entry is an instance of the nsslapdConfig object class, which in turn inherits from extensibleObject object class.
3.1.1.1. nsslapd-accesslog (Access Log)
- IP address (IPv4 or IPv6) of the client machine that accessed the database.
- Operations performed (for example, search, add, and modify).
- Result of the access (for example, the number of entries returned or an error code).
nsslapd-accesslog-logging-enabled configuration attribute must be switched to on. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
Table 3.1. dse.ldif File Attributes
| Attribute | Value | Logging enabled or disabled |
|---|---|---|
|
nsslapd-accesslog-logging-enabled
nsslapd-accesslog
|
on
empty string
| Disabled |
|
nsslapd-accesslog-logging-enabled
nsslapd-accesslog
|
on
filename
| Enabled |
|
nsslapd-accesslog-logging-enabled
nsslapd-accesslog
|
off
empty string
| Disabled |
|
nsslapd-accesslog-logging-enabled
nsslapd-accesslog
|
off
filename
| Disabled |
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any valid filename. |
| Default Value | /var/log/dirsrv/slapd-instance_name/access |
| Syntax | DirectoryString |
| Example | nsslapd-accesslog: /var/log/dirsrv/slapd-instance_name/access |
3.1.1.2. nsslapd-accesslog-level (Access Log Level)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values |
|
| Default Value | 256 |
| Syntax | Integer |
| Example | nsslapd-accesslog-level: 256 |
3.1.1.3. nsslapd-accesslog-list (List of Access Log Files)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-accesslog-list: accesslog2,accesslog3 |
3.1.1.4. nsslapd-accesslog-logbuffering (Log Buffering)
off, the server writes all access log entries directly to disk. Buffering allows the server to use access logging even when under a heavy load without impacting performance. However, when debugging, it is sometimes useful to disable buffering in order to see the operations and their results right away instead of having to wait for the log entries to be flushed to the file. Disabling log buffering can severely impact performance in heavily loaded servers.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-accesslog-logbuffering: off |
3.1.1.5. nsslapd-accesslog-logexpirationtime (Access Log Expiration Time)
nsslapd-accesslog-logexpirationtimeunit attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range |
-1 to the maximum 32 bit integer value (2147483647)
A value of -1 or 0 means that the log never expires.
|
| Default Value | -1 |
| Syntax | Integer |
| Example | nsslapd-accesslog-logexpirationtime: 2 |
3.1.1.6. nsslapd-accesslog-logexpirationtimeunit (Access Log Expiration Time Unit)
nsslapd-accesslog-logexpirationtime attribute. If the unit is unknown by the server, then the log never expires.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | month | week | day |
| Default Value | month |
| Syntax | DirectoryString |
| Example | nsslapd-accesslog-logexpirationtimeunit: week |
3.1.1.7. nsslapd-accesslog-logging-enabled (Access Log Enable Logging)
nsslapd-accesslog attribute that specifies the path and parameter of the log used to record each database access.
on, and the nsslapd-accesslog configuration attribute must have a valid path and parameter. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
Table 3.2. dse.ldif Attributes
| Attribute | Value | Logging Enabled or Disabled |
|---|---|---|
|
nsslapd-accesslog-logging-enabled
nsslapd-accesslog
|
on
empty string
| Disabled |
|
nsslapd-accesslog-logging-enabled
nsslapd-accesslog
|
on
filename
| Enabled |
|
nsslapd-accesslog-logging-enabled
nsslapd-accesslog
|
off
empty string
| Disabled |
|
nsslapd-accesslog-logging-enabled
nsslapd-accesslog
|
off
filename
| Disabled |
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-accesslog-logging-enabled: off |
3.1.1.8. nsslapd-accesslog-logmaxdiskspace (Access Log Maximum Disk Space)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the access log is unlimited in size. |
| Default Value | -1 |
| Syntax | Integer |
| Example | nsslapd-accesslog-logmaxdiskspace: 100000 |
3.1.1.9. nsslapd-accesslog-logminfreediskspace (Access Log Minimum Free Disk Space)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647) |
| Default Value | -1 |
| Syntax | Integer |
| Example | nsslapd-accesslog-logminfreediskspace: -1 |
3.1.1.10. nsslapd-accesslog-logrotationsync-enabled (Access Log Rotation Sync Enabled)
nsslapd-accesslog-logrotationsynchour and nsslapd-accesslog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files.
on, and then set the values of the nsslapd-accesslog-logrotationsynchour and nsslapd-accesslog-logrotationsyncmin attributes to 0.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-accesslog-logrotationsync-enabled: on |
3.1.1.11. nsslapd-accesslog-logrotationsynchour (Access Log Rotation Sync Hour)
nsslapd-accesslog-logrotationsync-enabled and nsslapd-accesslog-logrotationsyncmin attributes.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 through 23 |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsslapd-accesslog-logrotationsynchour: 23 |
3.1.1.12. nsslapd-accesslog-logrotationsyncmin (Access Log Rotation Sync Minute)
nsslapd-accesslog-logrotationsync-enabled and nsslapd-accesslog-logrotationsynchour attributes.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 through 59 |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsslapd-accesslog-logrotationsyncmin: 30 |
3.1.1.13. nsslapd-accesslog-logrotationtime (Access Log Rotation Time)
nsslapd-accesslog-logrotationtimeunit attribute.
nsslapd-accesslog-maxlogsperdir attribute value to 1 or set the nsslapd-accesslog-logrotationtime attribute to -1. The server checks the nsslapd-accesslog-maxlogsperdir attribute first, and, if this attribute value is larger than 1, the server then checks the nsslapd-accesslog-logrotationtime attribute. See Section 3.1.1.16, “nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)” for more information.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between access log file rotation is unlimited. |
| Default Value | 1 |
| Syntax | Integer |
| Example | nsslapd-accesslog-logrotationtime: 100 |
3.1.1.14. nsslapd-accesslog-logrotationtimeunit (Access Log Rotation Time Unit)
nsslapd-accesslog-logrotationtime attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | month | week | day | hour | minute |
| Default Value | day |
| Syntax | DirectoryString |
| Example | nsslapd-accesslog-logrotationtimeunit: week |
3.1.1.15. nsslapd-accesslog-maxlogsize (Access Log Maximum Log Size)
nsslapd-accesslog-maxlogsperdir attribute is set to 1, the server ignores this attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the log file is unlimited in size. |
| Default Value | 100 |
| Syntax | Integer |
| Example | nsslapd-accesslog-maxlogsize: 100 |
3.1.1.16. nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)
1 because the server does not rotate the log, and it grows indefinitely.
1, then check the nsslapd-accesslog-logrotationtime attribute to establish whether log rotation is specified. If the nsslapd-accesslog-logrotationtime attribute has a value of -1, then there is no log rotation. See Section 3.1.1.13, “nsslapd-accesslog-logrotationtime (Access Log Rotation Time)” for more information.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 1 to the maximum 32 bit integer value (2147483647) |
| Default Value | 10 |
| Syntax | Integer |
| Example | nsslapd-accesslog-maxlogsperdir: 10 |
3.1.1.17. nsslapd-accesslog-mode (Access Log File Permission)
000 to 777 (these mirror the numbered or absolute UNIX file permissions). The value must be a 3-digit number, the digits varying from 0 through 7:
0- None1- Execute only2- Write only3- Write and execute4- Read only5- Read and execute6- Read and write7- Read, write, and execute
000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 000 through 777 |
| Default Value | 600 |
| Syntax | Integer |
| Example | nsslapd-accesslog-mode: 600 |
3.1.1.18. nsslapd-allow-anonymous-access
rootdse, allows anonymous search and read access to search the root DSE itself, but restricts access to all other directory entries.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off | rootdse |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-allow-anonymous-access: on |
3.1.1.19. nsslapd-allow-unauthenticated-binds
ldapsearch without supplying a password option:
ldapsearch -D "cn=directory manager" -b "dc=example,dc=com" -s sub "(objectclass=*)"
nsslapd-allow-unauthenticated-binds attribute sets whether to allow an unauthenticated bind to succeed as an anonymous bind. By default, unauthenticated binds are disabled.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-allow-unauthenticated-binds: on |
3.1.1.20. nsslapd-allowed-to-delete-attrs
dse.ldif file, because they all have default values used by the server.
nsslapd-allowed-to-delete-attrs is a space-separated list of attribute names.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any core server configuration attribute |
| Default Value | nsslapd-listenhost nsslapd-securelistenhost |
| Syntax | DirectoryString |
| Example | nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost |
3.1.1.21. nsslapd-anonlimitsdn
nsslapd-sizeLimit), a time limit (nsslapd-timelimit) and time out period (nsslapd-idletimeout) for searches, and the total number of entries that can be searched (nsslapd-lookthroughlimit). These resource limits prevent denial of service attacks from tying up directory resources and improve overall performance.
nsslapd-anonlimitsdn configuration attribute can then be added that points to this entry and applies the resource limits to anonymous binds.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any DN |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-anonlimitsdn: cn=anon template,ou=people,dc=example,dc=com |
3.1.1.22. nsslapd-attribute-name-exceptions
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-attribute-name-exceptions: on |
3.1.1.23. nsslapd-auditlog (Audit Log)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any valid filename |
| Default Value | /var/log/dirsrv/slapd-instance_name/audit |
| Syntax | DirectoryString |
| Example | nsslapd-auditlog: /var/log/dirsrv/slapd-instance_name/audit |
nsslapd-auditlog-logging-enabled configuration attribute must be switched to on. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
Table 3.3. Possible Combinations for nsslapd-auditlog
| Attributes in dse.ldif | Value | Logging enabled or disabled |
|---|---|---|
|
nsslapd-auditlog-logging-enabled
nsslapd-auditlog
|
on
empty string
| Disabled |
|
nsslapd-auditlog-logging-enabled
nsslapd-auditlog
|
on
filename
| Enabled |
|
nsslapd-auditlog-logging-enabled
nsslapd-auditlog
|
off
empty string
| Disabled |
|
nsslapd-auditlog-logging-enabled
nsslapd-auditlog
|
off
filename
| Disabled |
3.1.1.24. nsslapd-auditlog-list
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-auditlog-list: auditlog2,auditlog3 |
3.1.1.25. nsslapd-auditlog-logexpirationtime (Audit Log Expiration Time)
nsslapd-auditlog-logexpirationtimeunit attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range |
-1 to the maximum 32 bit integer value (2147483647)
A value of -1 or 0 means that the log never expires.
|
| Default Value | -1 |
| Syntax | Integer |
| Example | nsslapd-auditlog-logexpirationtime: 1 |
3.1.1.26. nsslapd-auditlog-logexpirationtimeunit (Audit Log Expiration Time Unit)
nsslapd-auditlog-logexpirationtime attribute. If the unit is unknown by the server, then the log never expires.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | month | week | day |
| Default Value | week |
| Syntax | DirectoryString |
| Example | nsslapd-auditlog-logexpirationtimeunit: day |
3.1.1.27. nsslapd-auditlog-logging-enabled (Audit Log Enable Logging)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-auditlog-logging-enabled: off |
nsslapd-auditlog-logging-enabled configuration attribute must be switched to on. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
Table 3.4. Possible combinations for nsslapd-auditlog and nsslapd-auditlog-logging-enabled
| Attribute | Value | Logging enabled or disabled |
|---|---|---|
|
nsslapd-auditlog-logging-enabled
nsslapd-auditlog
|
on
empty string
| Disabled |
|
nsslapd-auditlog-logging-enabled
nsslapd-auditlog
|
on
filename
| Enabled |
|
nsslapd-auditlog-logging-enabled
nsslapd-auditlog
|
off
empty string
| Disabled |
|
nsslapd-auditlog-logging-enabled
nsslapd-auditlog
|
off
filename
| Disabled |
3.1.1.28. nsslapd-auditlog-logmaxdiskspace (Audit Log Maximum Disk Space)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the audit log is unlimited in size. |
| Default Value | -1 |
| Syntax | Integer |
| Example | nsslapd-auditlog-logmaxdiskspace: 10000 |
3.1.1.29. nsslapd-auditlog-logminfreediskspace (Audit Log Minimum Free Disk Space)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | -1 (unlimited) | 1 to the maximum 32 bit integer value (2147483647) |
| Default Value | -1 |
| Syntax | Integer |
| Example | nsslapd-auditlog-logminfreediskspace: -1 |
3.1.1.30. nsslapd-auditlog-logrotationsync-enabled (Audit Log Rotation Sync Enabled)
nsslapd-auditlog-logrotationsynchour and nsslapd-auditlog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files.
on, and then set the values of the nsslapd-auditlog-logrotationsynchour and nsslapd-auditlog-logrotationsyncmin attributes to 0.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-auditlog-logrotationsync-enabled: on |
3.1.1.31. nsslapd-auditlog-logrotationsynchour (Audit Log Rotation Sync Hour)
nsslapd-auditlog-logrotationsync-enabled and nsslapd-auditlog-logrotationsyncmin attributes.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 through 23 |
| Default Value | None (because nsslapd-auditlog-logrotationsync-enabled is off) |
| Syntax | Integer |
| Example | nsslapd-auditlog-logrotationsynchour: 23 |
3.1.1.32. nsslapd-auditlog-logrotationsyncmin (Audit Log Rotation Sync Minute)
nsslapd-auditlog-logrotationsync-enabled and nsslapd-auditlog-logrotationsynchour attributes.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 through 59 |
| Default Value | None (because nsslapd-auditlog-logrotationsync-enabled is off) |
| Syntax | Integer |
| Example | nsslapd-auditlog-logrotationsyncmin: 30 |
3.1.1.33. nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)
nsslapd-auditlog-logrotationtimeunit attribute. If the nsslapd-auditlog-maxlogsperdir attribute is set to 1, the server ignores this attribute.
nsslapd-auditlog-maxlogsperdir attribute value to 1 or set the nsslapd-auditlog-logrotationtime attribute to -1. The server checks the nsslapd-auditlog-maxlogsperdir attribute first, and, if this attribute value is larger than 1, the server then checks the nsslapd-auditlog-logrotationtime attribute. See Section 3.1.1.36, “nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)” for more information.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between audit log file rotation is unlimited. |
| Default Value | 1 |
| Syntax | Integer |
| Example | nsslapd-auditlog-logrotationtime: 100 |
3.1.1.34. nsslapd-auditlog-logrotationtimeunit (Audit Log Rotation Time Unit)
nsslapd-auditlog-logrotationtime attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | month | week | day | hour | minute |
| Default Value | week |
| Syntax | DirectoryString |
| Example | nsslapd-auditlog-logrotationtimeunit: day |
3.1.1.35. nsslapd-auditlog-maxlogsize (Audit Log Maximum Log Size)
nsslapd-auditlog-maxlogsperdir to 1, the server ignores this attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the log file is unlimited in size. |
| Default Value | 100 |
| Syntax | Integer |
| Example | nsslapd-auditlog-maxlogsize: 50 |
3.1.1.36. nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)
1 log. If this default is accepted, the server will not rotate the log, and it grows indefinitely.
1, then check the nsslapd-auditlog-logrotationtime attribute to establish whether log rotation is specified. If the nsslapd-auditlog-logrotationtime attribute has a value of -1, then there is no log rotation. See Section 3.1.1.33, “nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)” for more information.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 1 to the maximum 32 bit integer value (2147483647) |
| Default Value | 1 |
| Syntax | Integer |
| Example | nsslapd-auditlog-maxlogsperdir: 10 |
3.1.1.37. nsslapd-auditlog-mode (Audit Log File Permission)
000 to 777 since they mirror numbered or absolute UNIX file permissions. The value must be a combination of a 3-digit number, the digits varying from 0 through 7:
- 0 - None
- 1 - Execute only
- 2 - Write only
- 3 - Write and execute
- 4 - Read only
- 5 - Read and execute
- 6 - Read and write
- 7 - Read, write, and execute
000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 000 through 777 |
| Default Value | 600 |
| Syntax | Integer |
| Example | nsslapd-auditlog-mode: 600 |
3.1.1.38. nsslapd-bakdir (Default Backup Directory)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any local directory path. |
| Default Value | /var/lib/dirsrv/slapd-instance/bak |
| Syntax | DirectoryString |
| Example | nsslapd-bakdir: /var/lib/dirsrv/slapd-instance/bak |
3.1.1.39. nsslapd-certdir (Certificate and Key Database Directory)
/etc/dirsrv/slapd-instance_name.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Absolute path to any directory which is owned by the server user ID and only allows read and write access to the server user ID |
| Default Value | /etc/dirsrv/slapd-instance_name |
| Syntax | DirectoryString |
| Example | /etc/dirsrv/slapd-phonebook |
3.1.1.40. nsslapd-certmap-basedn (Certificate Map Search Base)
certmap.conf file. Depending on the certmap.conf configuration, the certificate mapping may be done using a directory subtree search based at the root DN. If the search is based at the root DN, then the nsslapd-certmap-basedn attribute may force the search to be based at some entry other than the root. The valid value for this attribute is the DN of the suffix or subtree to use for certificate mapping. For further information on configuring for SSL, see the "Managing SSL" chapter in the Directory Server Administrator's Guide.
3.1.1.41. nsslapd-config
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any valid configuration DN |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-config: cn=config |
3.1.1.42. nsslapd-conntablesize
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Operating-system dependent |
| Default Value | The default value is the system's max descriptors, which can be configured using the Section 3.1.1.93, “nsslapd-maxdescriptors (Maximum File Descriptors)” attribute. |
| Syntax | Integer |
| Example | nsslapd-conntablesize: 4093 |
Not listening for new connections -- too many fds open.
ulimit for the number of open files (ulimit -n) in the shell that starts the Directory Server. See Section 3.1.1.93, “nsslapd-maxdescriptors (Maximum File Descriptors)” for more information.
3.1.1.43. nsslapd-counters
nsslapd-counters attribute enables and disables Directory Server database and server performance counters.
dse.ldif file directly, and restart the server.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-counters: on |
3.1.1.44. nsslapd-csnlogging
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-csnlogging: on |
3.1.1.45. nsslapd-defaultnamingcontext
defaultNamingContext attribute, which allows clients to query the root DSE to obtain the context and then to initiate a search with the appropriate base.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any root suffix DN |
| Default Value | The default user suffix |
| Syntax | DN |
| Example | nsslapd-defaultnamingcontext: dc=example,dc=com |
3.1.1.46. nsslapd-disk-monitoring
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-disk-monitoring: on |
3.1.1.47. nsslapd-disk-monitoring-grace-period
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any integer (sets value in minutes) |
| Default Value | 60 |
| Syntax | Integer |
| Example | nsslapd-disk-monitoring-grace-period: 45 |
3.1.1.48. nsslapd-disk-monitoring-logging-critical
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-disk-monitoring-logging-critical: on |
3.1.1.49. nsslapd-disk-monitoring-threshold
| Parameter | Description | ||
|---|---|---|---|
| Entry DN | cn=config | ||
| Valid Values |
| ||
| Default Value | 2000000 (2MB) | ||
| Syntax | DirectoryString | ||
| Example | nsslapd-disk-monitoring-threshold: 2000000 |
3.1.1.50. nsslapd-dn-validate-strict
nsslapd-dn-validate-strict attribute explicitly enables strict syntax validation for DNs, according to section 3 in RFC 4514. If this attribute is set to off (the default), the server normalizes the value before checking it for syntax violations.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-dn-validate-strict: off |
3.1.1.51. nsslapd-ds4-compatible-schema
cn=schema compatible with 4.x versions of Directory Server.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-ds4-compatible-schema: off |
3.1.1.52. nsslapd-enquote-sup-oc (Enable Superior Object Class Enquoting)
objectclass attributes contained in the cn=schema entry conforms to the quoting specified by Internet draft RFC 2252. By default, the Directory Server conforms to RFC 2252, which indicates that this value should not be quoted. Only very old clients need this value set to on, so leave it off.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-enquote-sup-oc: off |
3.1.1.53. nsslapd-entryusn-import-initval
nsslapd-entryusn-import-initval. This sets a starting USN which is used for all imported entries.
nsslapd-entryusn-import-initval:
- An integer, which is the explicit start number used for every imported entry.
- next, which means that every imported entry uses whatever the highest entry USN value was on the server before the import operation, incremented by one.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any integer | next |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-entryusn-import-initval: next |
3.1.1.54. nsslapd-errorlog (Error Log)
- Server startup and shutdown times.
- The port number that the server uses.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any valid filename |
| Default Value | /var/log/dirsrv/slapd-instance_name/errors |
| Syntax | DirectoryString |
| Example | nsslapd-errorlog: /var/log/dirsrv/slapd-instance_name/errors |
nsslapd-errorlog-logging-enabled configuration attribute must be switched to on. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of error logging.
Table 3.5. Possible Combinations for nsslapd-errorlog Configuration Attributes
| Attributes in dse.ldif | Value | Logging enabled or disabled |
|---|---|---|
|
nsslapd-errorlog-logging-enabled
nsslapd-errorlog
|
on
empty string
| Disabled |
|
nsslapd-errorlog-logging-enabled
nsslapd-errorlog
|
on
filename
| Enabled |
|
nsslapd-errorlog-logging-enabled
nsslapd-errorlog
|
off
empty string
| Disabled |
|
nsslapd-errorlog-logging-enabled
nsslapd-errorlog
|
off
filename
| Disabled |
3.1.1.55. nsslapd-errorlog-level (Error Log Level)
3 includes both levels 1 and 2.
nsslapd-errorlog-level is 16384.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values |
|
| Default Value | 16384 |
| Syntax | Integer |
| Example | nsslapd-errorlog-level: 8192 |
3.1.1.56. nsslapd-errorlog-list
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-errorlog-list: errorlog2,errorlog3 |
3.1.1.57. nsslapd-errorlog-logexpirationtime (Error Log Expiration Time)
nsslapd-errorlog-logexpirationtimeunit attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range |
-1 to the maximum 32 bit integer value (2147483647)
A value of -1 or 0 means that the log never expires.
|
| Default Value | -1 |
| Syntax | Integer |
| Example | nsslapd-errorlog-logexpirationtime: 1 |
3.1.1.58. nsslapd-errorlog-logexpirationtimeunit (Error Log Expiration Time Unit)
nsslapd-errorlog-logexpirationtime attribute. If the unit is unknown by the server, then the log never expires.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | month | week | day |
| Default Value | month |
| Syntax | DirectoryString |
| Example | nsslapd-errorlog-logexpirationtimeunit: week |
3.1.1.59. nsslapd-errorlog-logging-enabled (Enable Error Logging)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-errorlog-logging-enabled: on |
3.1.1.60. nsslapd-errorlog-logmaxdiskspace (Error Log Maximum Disk Space)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the error log is unlimited in size. |
| Default Value | -1 |
| Syntax | Integer |
| Example | nsslapd-errorlog-logmaxdiskspace: 10000 |
3.1.1.61. nsslapd-errorlog-logminfreediskspace (Error Log Minimum Free Disk Space)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | -1 (unlimited) | 1 to the maximum 32 bit integer value (2147483647) |
| Default Value | -1 |
| Syntax | Integer |
| Example | nsslapd-errorlog-logminfreediskspace: -1 |
3.1.1.62. nsslapd-errorlog-logrotationsync-enabled (Error Log Rotation Sync Enabled)
nsslapd-errorlog-logrotationsynchour and nsslapd-errorlog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files.
on, and then set the values of the nsslapd-errorlog-logrotationsynchour and nsslapd-errorlog-logrotationsyncmin attributes to 0.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-errorlog-logrotationsync-enabled: on |
3.1.1.63. nsslapd-errorlog-logrotationsynchour (Error Log Rotation Sync Hour)
nsslapd-errorlog-logrotationsync-enabled and nsslapd-errorlog-logrotationsyncmin attributes.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 through 23 |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsslapd-errorlog-logrotationsynchour: 23 |
3.1.1.64. nsslapd-errorlog-logrotationsyncmin (Error Log Rotation Sync Minute)
nsslapd-errorlog-logrotationsync-enabled and nsslapd-errorlog-logrotationsynchour attributes.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 through 59 |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsslapd-errorlog-logrotationsyncmin: 30 |
3.1.1.65. nsslapd-errorlog-logrotationtime (Error Log Rotation Time)
nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit) attribute.
nsslapd-errorlog-maxlogsperdir attribute value to 1 or set the nsslapd-errorlog-logrotationtime attribute to -1. The server checks the nsslapd-errorlog-maxlogsperdir attribute first, and, if this attribute value is larger than 1, the server then checks the nsslapd-errorlog-logrotationtime attribute. See Section 3.1.1.68, “nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files)” for more information.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between error log file rotation is unlimited). |
| Default Value | 1 |
| Syntax | Integer |
| Example | nsslapd-errorlog-logrotationtime: 100 |
3.1.1.66. nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit)
nsslapd-errorlog-logrotationtime (Error Log Rotation Time). If the unit is unknown by the server, then the log never expires.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | month | week | day | hour | minute |
| Default Value | week |
| Syntax | DirectoryString |
| Example | nsslapd-errorlog-logrotationtimeunit: day |
3.1.1.67. nsslapd-errorlog-maxlogsize (Maximum Error Log Size)
nsslapd-errorlog-maxlogsperdir is set to 1, the server ignores this attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647) where a value of -1 means the log file is unlimited in size. |
| Default Value | 100 |
| Syntax | Integer |
| Example | nsslapd-errorlog-maxlogsize: 100 |
3.1.1.68. nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files)
1 log. If this default is accepted, the server does not rotate the log, and it grows indefinitely.
1, then check the nsslapd-errorlog-logrotationtime attribute to establish whether log rotation is specified. If the nsslapd-errorlog-logrotationtime attribute has a value of -1, then there is no log rotation. See Section 3.1.1.65, “nsslapd-errorlog-logrotationtime (Error Log Rotation Time)” for more information.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 1 to the maximum 32 bit integer value (2147483647) |
| Default Value | 1 |
| Syntax | Integer |
| Example | nsslapd-errorlog-maxlogsperdir: 10 |
3.1.1.69. nsslapd-errorlog-mode (Error Log File Permission)
000 to 777 since they mirror numbered or absolute UNIX file permissions. That is, the value must be a combination of a 3-digit number, the digits varying from 0 through 7:
- 0 - None
- 1 - Execute only
- 2 - Write only
- 3 - Write and execute
- 4 - Read only
- 5 - Read and execute
- 6 - Read and write
- 7 - Read, write, and execute
000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 000 through 777 |
| Default Value | 600 |
| Syntax | Integer |
| Example | nsslapd-errorlog-mode: 600 |
3.1.1.70. nsslapd-force-sasl-external
nsslapd-force-sasl-external attribute forces clients in certificate-based authentication to send the BIND request using the SASL/EXTERNAL method.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | String |
| Example | nsslapd-force-sasl-external: on |
3.1.1.71. nsslapd-groupevalnestlevel
nsslapd-groupevalnestlevel attribute to set the number of levels of nesting that access control performs for group evaluation. Instead, the number of levels of nesting is hardcoded as 5.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 to 5 |
| Default Value | 5 |
| Syntax | Integer |
| Example | nsslapd-groupevalnestlevel: 5 |
3.1.1.72. nsslapd-idletimeout (Default Idle Timeout)
0 means that the server never closes idle connections. This setting applies to all connections and all users. Idle timeout is enforced when the connection table is walked, when poll() does not return zero. Therefore, a server with a single connection never enforces the idle timeout.
nsIdleTimeout operational attribute, which can be added to user entries, to override the value assigned to this attribute. For details, see the "Setting Resource Limits Based on the Bind DN" section in the Directory Server Administrator's Guide.
Note
nsIdleTimeout attribute can be set to a high value on the entry used as the supplier bind DN.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 to the maximum 32 bit integer value (2147483647) |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsslapd-idletimeout: 0 |
3.1.1.73. nsslapd-instancedir (Instance Directory)
nsslapd-certdir and nsslapd-lockdir. See the documentation for the specific directory path that is set.
3.1.1.74. nsslapd-ioblocktimeout (IO Block Time Out)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 to the maximum 32 bit integer value (2147483647) in ticks |
| Default Value | 1800000 |
| Syntax | Integer |
| Example | nsslapd-ioblocktimeout: 1800000 |
3.1.1.75. nsslapd-lastmod (Track Modification Time)
modifiersname- The distinguished name of the person who last modified the entry.modifytimestamp- The timestamp, in GMT format, for when the entry was last modified.creatorsname- The distinguished name of the person who initially created the entry.createtimestamp- The timestamp for when the entry was created in GMT format.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-lastmod: on |
Warning
nsslapd-lastmod is set to off, then generating nsUniqueIDs is also disabled, replication does not work, and other issues may arise.
off, the solution is to export the database to ldif (db2ldif or db2ldif.pl or from the console), set the value to on, and import the data. The import process assigns each entry a unique id.
3.1.1.76. nsslapd-ldapiautobind (Enable Autobind)
nsslapd-ldapiautobind sets whether the server will allow users to autobind to Directory Server using LDAPI. Autobind maps the UID or GUID number of a system user to a Directory Server user, and automatically authenticates the user to Directory Server based on those credentials. The Directory Server connection occurs over UNIX socket.
nsslapd-ldapimaprootdn maps a root user on the system to the Directory Manager. The nsslapd-ldapimaptoentries maps regular users to Directory Server users, based on the parameters defined in the nsslapd-ldapiuidnumbertype, nsslapd-ldapigidnumbertype, and nsslapd-ldapientrysearchbase attributes.
nsslapd-ldapilisten is on and the nsslapd-ldapifilepath attribute is set to an LDAPI socket.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-ldapiautobind: off |
3.1.1.77. nsslapd-ldapientrysearchbase (Search Base for LDAPI Authentication Entries)
nsslapd-ldapiuidnumbertype) and GUID number (nsslapd-ldapigidnumbertype) and setting the search base to use to search for matching user entries.
nsslapd-ldapientrysearchbase gives the subtree to search for user entries to use for autobind.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | DN |
| Default Value | The suffix created when the server instance was created, such as dc=example,dc=com |
| Syntax | DN |
| Example | nsslapd-ldapientrysearchbase: ou=people,dc=example,dc=om |
3.1.1.78. nsslapd-ldapifilepath (File Location for LDAPI Socket)
nsslapd-ldapifilepath attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any directory path |
| Default Value | /var/run/dirsrv/slapd-example.socket |
| Syntax | Case-exact string |
| Example | nsslapd-ldapifilepath: /var/run/slapd-example.socket |
3.1.1.79. nsslapd-ldapigidnumbertype (Attribute Mapping for System GUID Number)
nsslapd-ldapigidnumbertype attribute points to the Directory Server attribute to map system GUIDs to user entries.
nsslapd-ldapilisten and nsslapd-ldapifilepath), autobind is enabled (nsslapd-ldapiautobind), and autobind mapping is enabled for regular users (nsslapd-ldapimaptoentries).
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any Directory Server attribute |
| Default Value | gidNumber |
| Syntax | DirectoryString |
| Example | nsslapd-ldapigidnumbertype: gidNumber |
3.1.1.80. nsslapd-ldapilisten (Enable LDAPI)
nsslapd-ldapilisten enables LDAPI connections to the Directory Server. LDAPI allows users to connect to the Directory Server over a UNIX socket rather than a standard TCP port. Along with enabling LDAPI by setting nsslapd-ldapilisten to on, there must also be a UNIX socket set for LDAPI in the nsslapd-ldapifilepath attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-ldapilisten: off |
3.1.1.81. nsslapd-ldapimaprootdn (Autobind Mapping for Root User)
nsslapd-ldapimaprootdn attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any DN |
| Default Value | cn=Directory Manager |
| Syntax | DN |
| Example | nsslapd-ldapimaprootdn: cn=Directory Manager |
3.1.1.82. nsslapd-ldapimaptoentries (Enable Autobind Mapping for Regular Users)
nsslapd-ldapimaptoentries attribute. Setting this attribute to on enables mapping for regular system users to Directory Server entries. If this attribute is not enabled, then only root users can use autobind to authenticate to the Directory Server, and all other users connect anonymously.
nsslapd-ldapiuidnumbertype and nsslapd-ldapigidnumbertype attributes, which map Directory Server attributes to the user's UID and GUID numbers.
nsslapd-ldapilisten and nsslapd-ldapifilepath) and autobind is enabled (nsslapd-ldapiautobind).
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-ldapimaptoentries: on |
3.1.1.83. nsslapd-ldapiuidnumbertype
nsslapd-ldapiuidnumbertype attribute points to the Directory Server attribute to map system UIDs to user entries.
nsslapd-ldapilisten and nsslapd-ldapifilepath), autobind is enabled (nsslapd-ldapiautobind), and autobind mapping is enabled for regular users (nsslapd-ldapimaptoentries).
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any Directory Server attribute |
| Default Value | uidNumber |
| Syntax | DirectoryString |
| Example | nsslapd-ldapiuidnumbertype: uidNumber |
3.1.1.84. nsslapd-listen-backlog-size
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | The maximum 64-bit integer value (9223372036854775807) |
| Default Value | 128 |
| Syntax | Integer |
| Example | nsslapd-listen-backlog-size: 128 |
3.1.1.85. nsslapd-listenhost (Listen to IP Address)
nsslapd-listenhost value, then the Directory Server responds to requests for every interface associated with the host name. If a single IP interface (either IPv4 or IPv6) is given as the nsslapd-listenhost value, Directory Server only responds to requests sent to that specific interface. Either an IPv4 or IPv6 address can be used.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values |
Any local host name, IPv4 or IPv6 address
|
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-listenhost: ldap.example.com |
3.1.1.86. nsslapd-localhost (Local Host)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any fully qualified host name. |
| Default Value | Hostname of installed machine. |
| Syntax | DirectoryString |
| Example | nsslapd-localhost: phonebook.example.com |
3.1.1.87. nsslapd-localuser (Local User)
chown.
nsslapd-localuser is set initially when the server instance is configured.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any valid user |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-localuser: nobody |
3.1.1.88. nsslapd-lockdir (Server Lock File Directory)
/var/lock/dirsrv/slapd-instance_name. Changes to this value will not take effect until the server is restarted.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Absolute path to a directory owned by the server user ID with write access to the server ID |
| Default Value | /var/lock/dirsrv/slapd-instance_name |
| Syntax | DirectoryString |
| Example | nsslapd-lockdir: /var/lock/dirsrv/slapd-instance_name |
3.1.1.89. nsslapd-malloc-mmap-threshold
service utility, environment variables are not passed to the server unless you set them in the /etc/sysconfig/dirsrv or /etc/sysconfig/dirsrv-instance_name file. For further details, see the systemd.exec(3) man page.
M_MMAP_THRESHOLD environment variable, the nsslapd-malloc-mmap-threshold parameter enables you to set the value in the Directory Server configuration. For further details, see the M_MMAP_THRESHOLD parameter description in the mallopt(3) man page.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 - 33554432 |
| Default Value | See the M_MMAP_THRESHOLD parameter description in the mallopt(3) man page. |
| Syntax | Integer |
| Example | nsslapd-malloc-mmap-threshold: 33554432 |
3.1.1.90. nsslapd-malloc-mxfast
service utility, environment variables are not passed to the server unless you set them in the /etc/sysconfig/dirsrv or /etc/sysconfig/dirsrv-instance_name file. For further details, see the systemd.exec(3) man page.
M_MXFAST environment variable, the nsslapd-malloc-mxfast parameter enables you to set the value in the Directory Server configuration. For further details, see the M_MXFAST parameter description in the mallopt(3) man page.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 - 80 * (sizeof(size_t) / 4) |
| Default Value | See the M_MXFAST parameter description in the mallopt(3) man page. |
| Syntax | Integer |
| Example | nsslapd-malloc-mxfast: 1048560 |
3.1.1.91. nsslapd-malloc-trim-threshold
service utility, environment variables are not passed to the server unless you set them in the /etc/sysconfig/dirsrv or /etc/sysconfig/dirsrv-instance_name file. For further details, see the systemd.exec(3) man page.
M_TRIM_THRESHOLD environment variable, the nsslapd-malloc-trim-threshold parameter enables you to set the value in the Directory Server configuration. For further details, see the M_TRIM_THRESHOLD parameter description in the mallopt(3) man page.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 to 2^31-1 |
| Default Value | See the M_TRIM_THRESHOLD parameter description in the mallopt(3) man page. |
| Syntax | Integer |
| Example | nsslapd-malloc-trim-threshold: 131072 |
3.1.1.92. nsslapd-maxbersize (Maximum Message Size)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range |
0 - 2 gigabytes (2,147,483,647 bytes)
Zero
0 means that the default value should be used.
|
| Default Value | 2097152 |
| Syntax | Integer |
| Example | nsslapd-maxbersize: 2097152 |
- Edit the
/usr/share/dirsrv/data/template-dse.ldiffile before installing the replica. - Add the
nsslapd-maxbersizeparameter to thecn: configsection of the file. For example, to set the value to 5 megabytes (5242880 bytes):dn: cn=config cn: config
nsslapd-maxbersize: 5242880 - Save the changes.
- Start the replica installation.
3.1.1.93. nsslapd-maxdescriptors (Maximum File Descriptors)
nsslapd-conntablesize, and is equal to the nsslapd-maxdescriptors attribute minus the number of file descriptors used by the server as specified in the nsslapd-reservedescriptors attribute for non-client connections, such as index management and managing replication. The nsslapd-reservedescriptors attribute is the number of file descriptors available for other uses as described above. See Section 3.1.1.113, “nsslapd-reservedescriptors (Reserved File Descriptors)”.
ns-slapd process to use. This number differs depending on the operating system.
ldapmodify, the server rejects the new value, keep the old value, and respond with an error.
dsktune program (explained in the Directory Server Installation Guide) can be used to suggest changes to the system kernel or TCP/IP tuning attributes, including increasing the number of file descriptors if necessary. Increased the value on this attribute if the Directory Server is refusing connections because it is out of file descriptors. When this occurs, the following message is written to the Directory Server's error log file:
Not listening for new connections -- too many fds open
Note
limit and ulimit, as these limits can often cause problems.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 1 to 65535 |
| Default Value | 1024 |
| Syntax | Integer |
| Example | nsslapd-maxdescriptors: 1024 |
3.1.1.94. nsslapd-maxsasliosize (Maximum SASL Packet Size)
nsslapd-maxsasliosize attribute. This attribute sets the maximum allowed SASL IO packet size that the server will accept.
nsslapd-maxsasliosize limit, the server immediately disconnects the client and logs a message to the error log, so that an administrator can adjust the setting if necessary.
| Parameter | Description | ||
|---|---|---|---|
| Entry DN | cn=config | ||
| Valid Range |
| ||
| Default Value | 2000000 (2MB) | ||
| Syntax | Integer | ||
| Example | nsslapd-maxsasliosize: 5000000 |
3.1.1.95. nsslapd-maxthreadsperconn (Maximum Threads per Connection)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 1 to maximum threadnumber |
| Default Value | 5 |
| Syntax | Integer |
| Example | nsslapd-maxthreadsperconn: 5 |
3.1.1.96. nsslapd-minssf
nsslapd-minssf attribute sets a minimum SSF requirement for any connection to the server; any connection attempts that are weaker than the minimum SSF are rejected.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any positive integer |
| Default Value | 0 (off) |
| Syntax | DirectoryString |
| Example | nsslapd-minssf: 128 |
3.1.1.97. nsslapd-minssf-exclude-rootdse
nsslapd-minssf-exclude-rootdse attribute sets a minimum SSF requirement for any connection to the server except for queries for the root DSE. This enforces appropriate SSF values for most connections, while still allowing clients to get required information about the server configuration from the root DSE without having to establish a secure connection first.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any positive integer |
| Default Value | 0 (off) |
| Syntax | DirectoryString |
| Example | nsslapd-minssf-exclude-rootdse: 128 |
3.1.1.98. nsslapd-nagle
off, the TCP_NODELAY option is set so that LDAP responses (such as entries or result messages) are sent back to a client immediately. When the attribute is turned on, default TCP behavior applies; specifically, sending data is delayed so that additional data can be grouped into one packet of the underlying network MTU size, typically 1500 bytes for Ethernet.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-nagle: off |
3.1.1.99. nsslapd-ndn-cache-enabled
nsslapd-ndn-cache-enabled parameter is enabled, Directory Server caches normalized DNs in memory. Update the nsslapd-ndn-cache-max-size parameter to set the maximum size of this cache.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-ndn-cache-enabled: on |
3.1.1.100. nsslapd-ndn-cache-max-size
nsslapd-ndn-cache-enabled parameter is enabled, Directory Server caches normalized DNs in memory. The nsslapd-ndn-cache-max-size parameter sets the maximum size of this cache.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | 0 to the maximum 32-bit integer value (2147483647) |
| Default Value | 20971520 |
| Syntax | Integer |
| Example | nsslapd-ndn-cache-max-size: 20971520 |
3.1.1.101. nsslapd-outbound-ldap-io-timeout
300000 milliseconds (5 minutes). A value of 0 means that the server does not impose a limit on I/O wait time.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 to the maximum 32-bit integer value (2147483647) |
| Default Value | 300000 |
| Syntax | DirectoryString |
| Example | nsslapd-outbound-ldap-io-timeout: 300000 |
3.1.1.102. nsslapd-pagedsizelimit (Size Limit for Simple Paged Results Searches)
nsslapd-sizelimit attribute for paged searches.
nsslapd-sizelimit attribute is used for paged searches as well as non-paged searches.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | -1 to the maximum 32 bit integer value (2147483647) |
| Default Value | |
| Syntax | Integer |
| Example | nsslapd-pagedsizelimit: 10000 |
3.1.1.103. nsslapd-plug-in
3.1.1.104. nsslapd-plugin-binddn-tracking
internalModifiersname.
nsslapd-plugin-binddn-tracking attribute allows the server to track which user originated an update operation, as well as the internal plug-in which actually performed it. For example:
dn: cn=my_group,ou=groups,dc=example,dc=com modifiersname: uid=jsmith,ou=people,dc=example,dc=com internalModifiersname: cn=referential integrity plugin,cn=plugins,cn=config
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-plugin-binddn-tracking: on |
3.1.1.105. nsslapd-port (Port Number)
1024 means the Directory Server has to be started as root.
uid to the nsslapd-localuser value after startup. When changing the port number for a configuration directory, the corresponding server instance entry in the configuration directory must be updated.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range |
1 to 65535
|
| Default Value | 389 |
| Syntax | Integer |
| Example | nsslapd-port: 389 |
Note
0) to disable the LDAP port if the LDAPS port is enabled.
3.1.1.106. nsslapd-privatenamespaces
cn=config, cn=schema, and cn=monitor.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | cn=config, cn=schema, and cn=monitor |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-privatenamespaces: cn=config |
3.1.1.107. nsslapd-pwpolicy-local (Enable Subtree- and User-Level Password Policy)
off, all entries (except for cn=Directory Manager) in the directory is subjected to the global ord policy; the server ignores any defined subtree/user level password policy.
on, the server checks for password policies at the subtree- and user-level and enforce those policies.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-pwpolicy-local: off |
3.1.1.108. nsslapd-readonly (Read Only)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-readonly: off |
3.1.1.109. nsslapd-referral (Referral)
ou=People,dc=example,dc=com
ou=Groups,dc=example,dc=com
Note
ldaps://server-location.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any valid LDAP URL in the form ldap://server-location |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-referral: ldap://ldap.example.com |
3.1.1.110. nsslapd-referralmode (Referral Mode)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any valid LDAP URL in the form >ldap://server-location |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-referralmode: ldap://ldap.example.com |
3.1.1.111. nsslapd-require-secure-binds
Note
nsslapd-require-secure-binds is turned on.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-require-secure-binds: on |
3.1.1.112. nsslapd-requiresrestart
nsslapd-requiresrestart is changed, the new setting doesn't take effect until after the server is restarted. The list of attributes can be returned in an ldapsearch:
ldapsearch -D "cn=directory manager" -W -p 389 -h server.example.com -b "cn=config" -s sub -x "(objectclass=*)" | grep nsslapd-requiresrestart
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any core server configuration attribute |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-requiresrestart: nsslapd-cachesize |
3.1.1.113. nsslapd-reservedescriptors (Reserved File Descriptors)
- The server is replicating to a large number of consumer servers (more than 10), and/or the server is maintaining a large number of index files (more than 30).
- The server is servicing a large number of LDAP connections.
- There are error messages reporting that the server is unable to open file descriptors (the actual error message differs depending on the operation that the server is attempting to perform), but these error messages are not related to managing client LDAP connections.
nsslapd-maxdescriptors attribute. It may not be possible to increase the nsslapd-maxdescriptors value if the server is already using the maximum number of file descriptors that the operating system allows a process to use; see the operating system documentation for details. If this is the case, then reduce the load on the server by causing LDAP clients to search alternative directory replicas. See Section 3.1.1.42, “nsslapd-conntablesize” for information about file descriptor usage for incoming connections.
nsslapd-reservedescriptor = 20 + (NldbmBackends * 4) + NglobalIndex + ReplicationDescriptor + ChainingBackendDescriptors + PTADescriptors + SSLDescriptors
- NldbmBackends is the number of ldbm databases.
- NglobalIndex is the total number of configured indexes for all databases including system indexes. (By default 8 system indexes and 17 additional indexes per database).
- ReplicationDescriptor is eight (8) plus the number of replicas in the server that can act as a supplier or hub (NSupplierReplica).
- ChainingBackendDescriptors is NchainingBackend times the nsOperationConnectionsLimit (a chaining or database link configuration attribute;
10by default). - PTADescriptors is
3if PTA is configured and0if PTA is not configured. - SSLDescriptors is
5(4 files + 1 listensocket) if SSL is configured and0if SSL is not configured.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 1 to 65535 |
| Default Value | 64 |
| Syntax | Integer |
| Example | nsslapd-reservedescriptors: 64 |
3.1.1.114. nsslapd-return-exact-case (Return Exact Case)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-return-exact-case: off |
3.1.1.115. nsslapd-rewrite-rfc1274
on for those clients. The default is off.
3.1.1.116. nsslapd-rootdn (Manager DN)
cn=Directory Manager are acceptable.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any valid distinguished name |
| Default Value | |
| Syntax | DN |
| Example | nsslapd-rootdn: cn=Directory Manager |
3.1.1.117. nsslapd-rootpw (Root Password)
nsslapd-rootpwstoragescheme attribute. When viewed from the server console, this attribute shows the value *****. When viewed from the dse.ldif file, this attribute shows the encryption method followed by the encrypted string of the password. The example shows the password as displayed in the dse.ldif file, not the actual password.
Warning
dse.ldif by directly editing the file. In this situation, the root DN can only obtain the same access to the directory is allowed for anonymous access. Always make sure that a root password is defined in dse.ldif when a root DN is configured for the database. The pwdhash command-line utility can create a new root password. For more information, see Section 9.3.14, “pwdhash (Prints Encrypted Passwords)”.
Important
{}) in the password. The root password is stored in the format {password-storage-scheme}hashed_password. Any characters in curly braces are interpreted by the server as the password storage scheme for the root password. If that text is not a valid storage scheme or if the password that follows is not properly hashed, then the Directory Manager cannot bind to the server.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any valid password encrypted by any one of the encryption methods which are described in Section 3.1.1.168, “passwordStorageScheme (Password Storage Scheme)”. |
| Default Value | |
| Syntax | DirectoryString {encryption_method }encrypted_Password |
| Example | nsslapd-rootpw: {SSHA}9Eko69APCJfF |
3.1.1.118. nsslapd-rootpwstoragescheme (Root Password Storage Scheme)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any encryption method as described in Section 3.1.1.168, “passwordStorageScheme (Password Storage Scheme)”. |
| Default Value | SSHA |
| Syntax | DirectoryString |
| Example | nsslapd-rootpwstoragescheme: SSHA |
3.1.1.119. nsslapd-saslpath
SASL_PATH environment variable. If neither nsslapd-saslpath or SASL_PATH are set, the server attempts to load SASL plugins from the default location, /usr/lib/sasl2.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Path to plugins directory. |
| Default Value | Platform dependent |
| Syntax | DirectoryString |
| Example | nsslapd-saslpath: /usr/lib/sasl2 |
3.1.1.120. nsslapd-schema-ignore-trailing-spaces (Ignore Trailing Spaces in Object Class Names)
nsslapd-schema-ignore-trailing-spaces is on, a value such as top is not added if top is already there. An error message is logged and returned to the client if an object class is not found and it contains trailing spaces.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-schema-ignore-trailing-spaces: on |
3.1.1.121. nsslapd-schemacheck (Schema Checking)
on, Directory Server will not check the schema of existing entries until they are modified. The database schema defines the type of information allowed in the database. The default schema can be extended using the object classes and attribute types. For information on how to extend the schema using the Directory Server Console, see the "Extending the Directory Schema" chapter in the Directory Server Administrator's Guide.
Warning
extensibleObject object class in those entries to disable schema checking on a per entry basis.
Note
ldapmodify or when importing a database from LDIF using ldif2db. If schema checking is turned off, every entry has to be verified manually to see that they conform to the schema. If schema checking is turned on, the server sends an error message listing the entries which do not match the schema. Ensure that the attributes and object classes created in the LDIF statements are both spelled correctly and identified in dse.ldif. Either create an LDIF file in the schema directory or add the elements to 99user.ldif.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-schemacheck: on |
3.1.1.122. nsslapd-schemadir
/etc/dirsrv/schema.
3.1.1.123. nsslapd-schemareplace
cn=schema entry.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off | replication-only |
| Default Value | replication-only |
| Syntax | DirectoryString |
| Example | nsslapd-schemareplace: replication-only |
3.1.1.124. nsslapd-securelistenhost
nsslapd-securelistenhost value, then the Directory Server responds to requests for every interface associated with the host name. If a single IP interface (either IPv4 or IPv6) is given as the nsslapd-securelistenhost value, Directory Server only responds to requests sent to that specific interface. Either an IPv4 or IPv6 address can be used.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any secure host name, IPv4 or IPv6 address |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-securelistenhost: ldaps.example.com |
3.1.1.125. nsslapd-securePort (Encrypted Port Number)
1024 requires that Directory Server be started as root. The server sets its uid to the nsslapd-localuser value after startup.
nsslapd-security is set to on; otherwise, it does not listen on this port.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 1 to 65535 |
| Default Value | 636 |
| Syntax | Integer |
| Example | nsslapd-securePort: 636 |
3.1.1.126. nsslapd-security (Security)
on for secure connections. To run with security on, the server must be configured with a private key and server certificate in addition to the other SSL/TLS configuration.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-security: off |
3.1.1.127. nsslapd-sizelimit (Size Limit)
ns-slapd returns any entries it has located that match the search request, as well as an exceeded size limit error.
ns-slapd returns every matching entry to the client regardless of the number found. To set a no limit value whereby the Directory Server waits indefinitely for the search to complete, specify a value of -1 for this attribute in the dse.ldif file.
Note
-1 on this attribute in dse.ldif file is the same as leaving the attribute blank in the server console, in that it causes no limit to be used. This cannot have a null value in dse.ldif file, as it is not a valid integer. It is possible to set it to 0, which returns size limit exceeded for every search.
nsSizeLimit.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | -1 to the maximum 32 bit integer value (2147483647) |
| Default Value | 2000 |
| Syntax | Integer |
| Example | nsslapd-sizelimit: 2000 |
3.1.1.128. nsslapd-ssl-check-hostname (Verify Hostname for Outbound Connections)
cn) attribute of the subject name (subjectDN field) in the certificate being presented. By default, the attribute is set to on. If it is on and if the host name does not match the cn attribute of the certificate, appropriate error and audit messages are logged.
[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 -
Unable to communicate securely with peer: requested domain name does not
match the server's certificate.)
[DATE] NSMMReplicationPlugin - agmt="cn=SSL Replication Agreement to host1" (host1.example.com:636):
Replication bind with SSL client authentication failed:
LDAP error 81 (Can't contact LDAP server)Note
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-ssl-check-hostname: on |
3.1.1.129. nsslapd-syntaxcheck
- Fax (binary)
- OctetString (binary)
- JPEG (binary)
- Binary (non-standard)
- Space Insensitive String (non-standard)
- URI (non-standard)
nsslapd-syntaxcheck attribute sets whether to validate and reject attribute modifications. This can be used with the nsslapd-syntaxlogging attribute to write warning messages about invalid attribute values to the error logs.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nnsslapd-syntaxcheck: on |
3.1.1.130. nsslapd-syntaxlogging
nsslapd-syntaxlogging attribute is also enabled, then any invalid attribute change is rejected and written to the errors log. If only nsslapd-syntaxlogging is enabled and nsslapd-syntaxcheck is disabled, then invalid changes are allowed to proceed, but a warning message is written to the error log.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nnsslapd-syntaxlogging: off |
3.1.1.131. nsslapd-threadnumber (Thread Number)
nsslapd-threadnumber value should be increased if there are many directory clients performing time-consuming operations such as add or modify, as this ensures that there are other threads available for servicing short-lived operations such as simple searches. This value may also need increased if there are many replication agreements or chained back ends (database links). This attribute is not available from the server console.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 1 to the maximum number of threads supported by the system |
| Default Value | 30 |
| Syntax | Integer |
| Example | nsslapd-threadnumber: 60 |
3.1.1.132. nsslapd-timelimit (Time Limit)
ns-slapd returns every matching entry to the client regardless of the time it takes. To set a no limit value whereby Directory Server waits indefinitely for the search to complete, specify a value of -1 for this attribute in the dse.ldif file. A value of zero (0) causes no time to be allowed for searches. The smallest time limit is 1 second.
Note
-1 on this attribute in thedse.ldif is the same as leaving the attribute blank in the server console in that it causes no limit to be used. However, a negative integer cannot be set in this field in the server console, and a null value cannot be used in the dse.ldif entry, as it is not a valid integer.
nsTimeLimit.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | -1 to the maximum 32 bit integer value (2147483647) in seconds |
| Default Value | 3600 |
| Syntax | Integer |
| Example | nsslapd-timelimit: 3600 |
3.1.1.133. nsslapd-tmpdir
/tmp.
3.1.1.134. nsslapd-validate-cert
nsslapd-validate-cert parameter sets how the Directory Server should respond when it attempts to start with an expired certificate:
warnallows the Directory Server to start successfully with an expired certificate, but it sends a warning message that the certificate has expired. This is the default setting.onvalidates the certificate and will prevent the server from restarting if the certificate is expired. This sets a hard failure for expired certificates.offdisables all certificate expiration validation, so the server can start with an expired certificate without logging a warning.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | warn | on | off |
| Default Value | warn |
| Syntax | DirectoryString |
| Example | nsslapd-validate-cert: warn |
3.1.1.135. nsslapd-versionstring
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any valid server version number. |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-versionstring: Red Hat-Directory/9.0 |
3.1.1.136. nsslapd-workingdir
getcwd() function, and the value that the system process table shows as its current working directory. This is the directory a core file is generated in. The server user ID must have read and write access to the directory, and no other user ID should have read or write access to it. The default value for this attribute is the same directory containing the error log, which is usually /var/log/dirsrv/slapd-instance_name.
3.1.1.137. nsSSLClientAuth (Client Authentication)
off- the Directory Server will not accept client authenticationallowed(default) - the Directory Server will accept client authentication, but not require itrequired- all clients must use client authentication.
Important
nsSSLClientAuth attribute is set to required, the Console can not be used to manage the instance.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | off | allowed | required |
| Default Value | allowed |
| Syntax | DirectoryString |
| Example | nsSSLClientAuth: off |
3.1.1.138. passwordAllowChangeTime
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any integer |
| Default Value | |
| Syntax | DirectoryString |
| Example | passwordAllowChangeTime: 5h |
3.1.1.139. passwordChange (Password Change)
pwdAllowUserChange.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | passwordChange: on |
3.1.1.140. passwordCheckSyntax (Check Password Syntax)
uid, cn, sn, givenName, ou, or mail attributes of the user's directory entry.
- The length of string or tokens to use to compare when checking for trivial words in the password (for example, if the token length is three, then no string of three sequential characters in the user's UID, name, email address, or other parameters can be used in the password)
- Minimum number of number characters (0-9)
- Minimum number of uppercase ASCII alphabetic characters
- Minimum number of lowercase ASCII alphabetic characters
- Minimum number of special ASCII characters, such as
!@#$ - Minimum number of 8-bit characters
- Minimum number of character categories required per password; a category can be upper- or lower-case letters, special characters, digits, or 8-bit characters
pwdCheckSyntax.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | passwordCheckSyntax: off |
3.1.1.141. passwordExp (Password Expiration)
passwordMaxAge attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | passwordExp: on |
3.1.1.142. passwordExpirationTime
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | Any date, in integers |
| Default Value | none |
| Syntax | GeneralizedTime |
| Example | passwordExpirationTime: 201709011953 |
3.1.1.143. passwordExpWarned
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | true | false |
| Default Value | none |
| Syntax | DirectoryString |
| Example | passwordExpWarned: true |
3.1.1.144. passwordGraceLimit (Password Expiration)
0 means the server does not allow grace logins.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | 0 (off) to any reasonable integer |
| Default Value | 0 |
| Syntax | Integer |
| Example | passwordGraceLimit: 3 |
3.1.1.145. passwordHistory (Password History)
on, the directory stores a given number of old passwords and prevents users from reusing any of the stored passwords. Set the number of old passwords the Directory Server stores using the passwordInHistory attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | passwordHistory: on |
3.1.1.146. passwordInHistory (Number of Passwords to Remember)
passwordHistory attribute.
passwordMinAge attribute.
pwdInHistory.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 2 to 24 passwords |
| Default Value | 6 |
| Syntax | Integer |
| Example | passwordInHistory: 7 |
3.1.1.147. passwordIsGlobalPolicy (Password Policy and Replication)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | passwordIsGlobalPolicy: off |
3.1.1.148. passwordKeepHistory
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | 0 (no history) or 1 (keep history) |
| Default Value | 0 |
| Syntax | DirectoryString |
| Example | passwordKeepHistory: 1 |
3.1.1.149. passwordLegacyPolicy
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | passwordLegacyPolicy: on |
3.1.1.150. passwordLockout (Account Lockout)
passwordMaxFailure attribute.
pwdLockOut.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | passwordLockout: off |
3.1.1.151. passwordLockoutDuration (Lockout Duration)
passwordLockout attribute.
pwdLockoutDuration.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 1 to the maximum 32 bit integer value (2147483647) in seconds |
| Default Value | 3600 |
| Syntax | Integer |
| Example | passwordLockoutDuration: 3600 |
3.1.1.152. passwordMaxAge (Password Maximum Age)
passwordExp attribute.
pwdMaxAge.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 1 to the maximum 32 bit integer value (2147483647) in seconds |
| Default Value | 8640000 (100 days) |
| Syntax | Integer |
| Example | passwordMaxAge: 100 |
3.1.1.153. passwordMaxFailure (Maximum Password Failures)
passwordLockout attribute.
pwdMaxFailure.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 1 to maximum integer bind failures |
| Default Value | 3 |
| Syntax | Integer |
| Example | passwordMaxFailure: 3 |
3.1.1.154. passwordMaxRepeats (Password Syntax)
0) is off. Integer values reject any password which used a character more than that number of times; for example, 1 rejects characters that are used more than once (aa) and 2 rejects characters used more than twice (aaa).
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 to 64 |
| Default Value | 0 |
| Syntax | Integer |
| Example | passwordMaxRepeats: 1 |
3.1.1.155. passwordMin8Bit (Password Syntax)
Note
userPassword must be disabled to use this.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 to 64 |
| Default Value | 0 |
| Syntax | Integer |
| Example | passwordMin8Bit: 0 |
3.1.1.156. passwordMinAge (Password Minimum Age)
passwordInHistory (number of passwords to remember) attribute to prevent users from quickly cycling through passwords so that they can use their old password again. A value of zero (0) means that the user can change the password immediately.
pwdMaxFailure.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 to valid maximum integer |
| Default Value | 0 |
| Syntax | Integer |
| Example | passwordMinAge: 150 |
3.1.1.157. passwordMinAlphas (Password Syntax)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 to 64 |
| Default Value | 0 |
| Syntax | Integer |
| Example | passwordMinAlphas: 4 |
3.1.1.158. passwordMinCategories (Password Syntax)
- Lowercase alphabetic characters
- Uppercase alphabetic characters
- Numbers
- Special ASCII charactes, such as $ and punctuation marks
- 8-bit characters
2, and the user tried to change the password to aaaaa, the server would reject the password because it contains only lower case characters, and therefore contains characters from only one category. A password of aAaAaA would pass because it contains characters from two categories, uppercase and lowercase.
3, which means that if password syntax checking is enabled, valid passwords have to have three categories of characters.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 to 5 |
| Default Value | 0 |
| Syntax | Integer |
| Example | passwordMinCategories: 2 |
3.1.1.159. PasswordMinDigits (Password Syntax)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 to 64 |
| Default Value | 0 |
| Syntax | Integer |
| Example | passwordMinDigits: 3 |
3.1.1.160. passwordMinLength (Password Minimum Length)
pwdMinLength.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 2 to 512 characters |
| Default Value | 6 |
| Syntax | Integer |
| Example | passwordMinLength: 6 |
3.1.1.161. PasswordMinLowers (Password Syntax)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 to 64 |
| Default Value | 0 |
| Syntax | Integer |
| Example | passwordMinLowers: 1 |
3.1.1.162. PasswordMinSpecials (Password Syntax)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 to 64 |
| Default Value | 0 |
| Syntax | Integer |
| Example | passwordMinSpecials: 1 |
3.1.1.163. PasswordMinTokenLength (Password Syntax)
PasswordMinTokenLength is set to 3, then a givenName of DJ does not result in a policy that rejects DJ from being in the password, but the policy rejects a password comtaining the givenName of Bob.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 1 to 64 |
| Default Value | 3 |
| Syntax | Integer |
| Example | passwordMinTokenLength: 3 |
3.1.1.164. PasswordMinUppers (Password Syntax)
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 to 64 |
| Default Value | 0 |
| Syntax | Integer |
| Example | passwordMinUppers: 2 |
3.1.1.165. passwordMustChange (Password Must Change)
pwdMustChange.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | passwordMustChange: off |
3.1.1.166. passwordResetDuration
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 0 to the maximum 32 bit integer value (2147483647) in seconds |
| Default Value | 600 |
| Syntax | Integer |
| Example | passwordResetDuration: 600 |
3.1.1.167. passwordResetFailureCount (Reset Password Failure Count After)
passwordLockout attribute is set to on, users are locked out of the directory when the counter reaches the number of failures specified by the passwordMaxFailure attribute (within 600 seconds by default). After the amount of time specified by the passwordLockoutDuration attribute, the failure counter is reset to zero (0).
pwdFailureCountInterval.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 1 to the maximum 32 bit integer value (2147483647) in seconds |
| Default Value | 600 |
| Syntax | Integer |
| Example | passwordResetFailureCount: 600 |
3.1.1.168. passwordStorageScheme (Password Storage Scheme)
- CLEAR means the password is stored in cleartext, with no hashing or encryption. This scheme must be used in order to use SASL DIGEST-MD5.
- SSHA (Salted Secure Hash Algorithm), the default, is the recommended method because it is the most secure. There are several bit sizes available: 160 bits (the default), 256, 384, and 512.
- SHA (Secure Hash Algorithm) is included only for backward compatibility with 4.x Directory Servers; do not use this algorithm.
- MD5 (Message Digest algorithm 5) is a commonly used standard hashing algorithm. This is much weaker than SSHA and is not recommended.
- SMD5 (Salted MD5) is more secure than plain MD5 hash, but still less secure than SSHA. This storage scheme is not included for use with new passwords but to help with migrating user accounts from directories which support salted MD5.
- CRYPT, the UNIX crypt algorithm, is provided for compatibility with UNIX passwords.
Note
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | CLEAR | SSHA | SHA | MD5 | SMD5 | CRYPT |
| Default Value | SSHA |
| Syntax | DirectoryString |
| Example | passwordStorageScheme: SSHA |
3.1.1.169. passwordTrackUpdateTime
pwdUpdateTime operational attribute to the user account entry (separate from other update times, like modifyTime).
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | passwordTrackUpdateTime: off |
3.1.1.170. passwordUnlock (Unlock Account)
passwordUnlock attribute is set to off and the operational attribute accountUnlockTime has a value of 0, then the account is locked indefinitely.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | passwordUnlock: off |
3.1.1.171. passwordWarning (Send Warning)
pwdExpireWarning.
| Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Range | 1 to the maximum 32 bit integer value (2147483647) in seconds |
| Default Value | 86400 (1 day) |
| Syntax | Integer |
| Example | passwordWarning: 86400 |
3.1.2. cn=changelog5
cn=changelog5 entry. The cn=changelog5,cn=config entry is an instance of the extensibleObject object class.
Note
3.1.2.1. nsslapd-changelogdir
/var/lib/dirsrv/slapd-instance_name/changelogdb.
Warning
cn=changelog5 entry is removed, the directory specified in the nsslapd-changelogdir parameter, including any subdirectories, are removed, with all of their contents.
| Parameter | Description |
|---|---|
| Entry DN | cn=changelog5,cn=config |
| Valid Values | Any valid path to the directory storing the changelog |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-changelogdir: /var/lib/dirsrv/slapd-instance_name/changelogdb |
3.1.2.2. nsslapd-changelogmaxage (Max Changelog Age)
nsslapd-changelogmaxage parameter sets the maximum age of a record stored in the changelog. Older records, that were successfully transferred to all replicas, are removed automatically. If the nsslapd-changelogmaxage and nsslapd-changelogmaxentries parameters are not set, all records are kept.
Note
nsslapd-changelogmaxentries parameter. For further details, see the corresponding sections in the Red Hat Directory Administration Guide.
nsslapd-changelogmaxage parameter additionally sets the maximum age of entries in the retro changelog. The size of the retro changelog is automatically reduced when you set a lower value.
nsslapd-changelog-trim-interval parameter.
| Parameter | Description |
|---|---|
| Entry DN | cn=changelog5,cn=config |
| Valid Range | 0 (meaning that entries are not removed according to their age) to maximum 32-bit integer (2147483647) |
| Default Value | 0 |
| Syntax | DirectoryString IntegerAgeID where AgeID is s for seconds, m for minutes, h for hours, d for days, and w for weeks |
| Example | nsslapd-changelogmaxage: 30d |
3.1.2.3. nsslapd-changelogmaxentries (Max Changelog Records)
nsslapd-changelogmaxentries parameter sets the maximum number of records stored in the changelog. The oldest records, that were successfully transferred to all replicas and exceeding this number, are removed automatically. If the nsslapd-changelogmaxentries and nsslapd-changelogmaxage parameters are not set, all records are kept.
Note
nsslapd-changelogmaxentries parameter. For further details, see the corresponding sections in the Red Hat Directory Administration Guide.
nsslapd-changelog-trim-interval parameter.
| Parameter | Description |
|---|---|
| Entry DN | cn=changelog5,cn=config |
| Valid Range | 0 (meaning that the only maximum limit is the disk size) to maximum 32-bit integer (2147483647) |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsslapd-changelogmaxentries: 5000 |
3.1.2.4. nsslapd-changelogmaxconcurrentwrites (Max Concurrent Rewrites)
| Parameter | Description |
|---|---|
| Entry DN | cn=changelog5,cn=config |
| Valid Range | Maximum number of concurrent changelog writes |
| Default Value | 2 |
| Syntax | DirectoryString |
| Example | nsslapd-changelogmaxconcurrentwrites: 4 |
3.1.2.5. nsslapd-encryptionalgorithm (Encryption Algorithm)
| Parameter | Description |
|---|---|
| Entry DN | cn=changelog5,cn=config |
| Valid Range | AES or 3DES |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-encryptionalgorithm: AES |
3.1.2.6. nsSymmetricKey
| Parameter | Description |
|---|---|
| Entry DN | cn=changelog5,cn=config |
| Valid Range | Base 64-encoded key |
| Default Value | None |
| Syntax | DirectoryString |
| Example | None |
3.1.3. Changelog Attributes
3.1.3.1. change
| OID | 2.16.840.1.113730.3.1.8 |
| Syntax | Binary |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Changelog Internet Draft |
3.1.3.2. changeLog
| OID | 2.16.840.1.113730.3.1.35 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Changelog Internet Draft |
3.1.3.3. changeNumber
| OID | 2.16.840.1.113730.3.1.5 |
| Syntax | Integer |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Changelog Internet Draft |
3.1.3.4. changeTime
YYMMDDHHMMSS format, when the entry was added.
| OID | 2.16.840.1.113730.3.1.77 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.1.3.5. changeType
add, delete, modify, or modrdn. For example:
changeType: modify
| OID | 2.16.840.1.113730.3.1.7 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Changelog Internet Draft |
3.1.3.6. deleteOldRdn
modrdn operations, this attribute specifies whether the old RDN was deleted.
0) will delete the old RDN. Any other non-zero value will keep the old RDN. (Non-zero values can be negative or positive integers.)
| OID | 2.16.840.1.113730.3.1.10 |
| Syntax | Boolean |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Changelog Internet Draft |
3.1.3.7. filterInfo
| OID | 2.16.840.1.113730.3.1.206 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.1.3.8. newRdn
modrdn operations, this attribute specifies the new RDN of the entry.
| OID | 2.16.840.1.113730.3.1.9 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Changelog Internet Draft |
3.1.3.9. newSuperior
modrdn operations, this attribute specifies the new parent (superior) entry for the moved entry.
| OID | 2.16.840.1.113730.3.1.11 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Changelog Internet Draft |
3.1.3.10. targetDn
modrdn operation, the targetDn attribute contains the DN of the entry before it was modified or moved.
| OID | 2.16.840.1.113730.3.1.6 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Changelog Internet Draft |
3.1.4. cn=encryption
cn=encryption,cn=config entry. The cn=encryption,cn=config entry is an instance of the nsslapdEncryptionConfig object class.
3.1.4.1. allowWeakDHParam
allowWeakDHParam parameter allows you to enable support for weak 1024-bit DH parameters in Directory Server.
| Parameter | Description |
|---|---|
| Entry DN | cn=encryption,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | allowWeakDHParam: off |
3.1.4.2. nsSSLActivation
| Entry DN | cn=encryptionType,cn=encryption,cn=config |
| Valid Values | on | off |
| Default Value | |
| Syntax | DirectoryString |
| Example | dn: cn=RSA,cn=encryption,cn=config objectclass: top objectclass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: Server-Cert nsSSLToken: internal (software) nsSSLActivation: on |
3.1.4.3. nssslsessiontimeout
5 seconds. If a smaller value is set, then it is automatically replaced by 5 seconds. A value greater than the maximum value in the valid range below is replaced by the maximum value in the range.
| Parameter | Description |
|---|---|
| Entry DN | cn=encryption,cn=config |
| Valid Range | 5 seconds to 24 hours |
| Default Value | 0, which means use the maximum value in the valid range above. |
| Syntax | Integer |
| Example | nssslsessiontimeout: 5 |
3.1.4.4. nsSSL2
Note
nsSSL2 parameter is ignored if set. Use TLS v1.1 or higher for secure communications.
3.1.4.5. nsSSL2Ciphers
Note
nsSSL2Ciphers parameter is ignored if set. Use TLS v1.1 or higher for secure communications.
3.1.4.6. nsSSL3
Warning
| Parameter | Description |
|---|---|
| Entry DN | cn=encryption,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsSSL3: on |
3.1.4.7. nsSSL3Ciphers
- They are exportable.Exportable ciphers are labeled
EXPORTin the cipher name. For example, inTLS_RSA_EXPORT_WITH_RC4_40_MD5. - They are symmetrical and weaker than the 3DES algorithm.Symmetrical ciphers use the same cryptographic keys for both encryption and decryption.
- The key length is shorter than 128 bits.
Warning
| Parameter | Description |
|---|---|
| Entry DN | cn=encryption,cn=config |
| Valid Values |
Comma separated list of NSS supported ciphers. Additionally, the following values are possible:
|
| Default Value | |
| Syntax |
DirectoryString
Use the plus (
+) symbol to enable or minus (-) symbol to disable, followed by the ciphers. Blank spaces are not allowed in the list of ciphers.
To enable all ciphers — except
rsa_null_md5, which must be specifically called — specify +all.
|
| Example | nsslapd-SSL3ciphers: +TLS_RSA_AES_128_SHA,+TLS_RSA_AES_256_SHA,+TLS_RSA_WITH_AES_128_GCM_SHA256,-RSA_NULL_SHA |
$ldapsearch -xLLL -H ldap://localhost:389 -D "cn=Directory Manager" -W \-b 'cn=encryption,cn=config' -s base nsSSLSupportedCiphers -o ldif-wrap=nodn: cn=encryption,cn=config nsSSLSupportedCiphers: TLS::tls_rsa_aes_128_sha::AES::SHA1::128 nsSSLSupportedCiphers: TLS::rsa_aes_128_sha::AES::SHA1::128 nsSSLSupportedCiphers: TLS::tls_dhe_dss_aes_128_sha::AES::SHA1::128 nsSSLSupportedCiphers: TLS::tls_dhe_rsa_aes_128_sha::AES::SHA1::128 nsSSLSupportedCiphers: TLS::tls_rsa_aes_256_sha::AES::SHA1::256 nsSSLSupportedCiphers: TLS::rsa_aes_256_sha::AES::SHA1::256 ...
3.1.4.8. nsSSL3SessionTimeout
5 seconds. If a smaller value is set, then it is automatically replaced by 5 seconds. A value greater than the maximum value in the valid range below is replaced by the maximum value in the range.
| Entry DN | cn=encryption,cn=config |
| Valid Range | 5 seconds to 24 hours |
| Default Value | 0, which means use the maximum value in the valid range above. |
| Syntax | Integer |
| Example | nsSSL3SessionTimeout: 5 |
3.1.4.9. nsSSLPersonalitySSL
| Entry DN | cn=encryption,cn=config |
| Valid Values | A certificate nickname |
| Default Value | |
| Syntax | DirectoryString |
| Example: | nsSSLPersonalitySSL: Server-Cert |
3.1.4.10. nsSSLSupportedCiphers
| Entry DN | cn=encryption,cn=config |
| Valid Values | A specific family, cipher, and strength string |
| Default Value | |
| Syntax | DirectoryString |
| Example: | nsSSLSupportedCiphers: SSL3::rc4::RC4::MD5::128 |
3.1.4.11. nsTLS1
nsSSL3Ciphers attribute.
Note
nsTLS10, nsTLS11, and nsTLS12 parameters have a higher priority than nsTLS1. Use these parameters to enable and disable specific TLS versions.
| Parameter | Description |
|---|---|
| Entry DN | cn=encryption,cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsTLS1: on |
3.1.4.12. nsTLS10
nsSSL3Ciphers attributes.
nsTLS10 parameter is enabled at the same time as nsTLS1, the value set in nsTLS10 defines if the TLS 1.0 protocol is enabled.
| Parameter | Description |
|---|---|
| Entry DN | cn=encryption,cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsTLS10: on |
3.1.4.13. nsTLS11
nsSSL3Ciphers attributes.
nsTLS11 parameter is enabled at the same time as nsTLS1, the value set in nsTLS11 defines if the TLS 1.1 protocol is enabled.
| Parameter | Description |
|---|---|
| Entry DN | cn=encryption,cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsTLS11: on |
3.1.4.14. nsTLS12
nsSSL3Ciphers attributes.
nsTLS12 parameter is enabled at the same time as nsTLS1, the value set in nsTLS12 defines if the TLS 1.2 protocol is enabled.
| Parameter | Description |
|---|---|
| Entry DN | cn=encryption,cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsTLS12: on |
3.1.4.15. nsSSLToken
| Entry DN | cn=encryption,cn=config |
| Valid Values | A module name |
| Default Value | |
| Syntax | DirectoryString |
| Example: | nsSSLToken: internal (software) |
3.1.5. cn=features
cn=features entry itself. This entry is only used as a parent container entry, with the nsContainer object class.
oid attribute to identify the feature and the directoryServerFeature object class, plus optional identifying information about the feature, such as specific ACLs. For example:
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config objectClass: top objectClass: directoryServerFeature oid: 2.16.840.1.113730.3.4.9 cn: VLV Request Control aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow( read, search, compare, proxy ) userdn = "ldap:///all";) creatorsName: cn=server,cn=plugins,cn=config modifiersName: cn=server,cn=plugins,cn=config createTimestamp: 20170129132357Z modifyTimestamp: 20170129132357Z
3.1.5.1. oid
oid attribute contains an object identifier assigned to a directory service feature. oid is used as the naming attribute for these directory features.
| OID | 2.16.840.1.113730.3.1.215 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.1.6. cn=mapping tree
- Configuration attributes for suffixes, replication, and Windows synchronization are stored under
cn=mapping tree,cn=config. Configuration attributes related to suffixes are found under the suffix subentrycn=suffix,cn=mapping tree,cn=config.For example, a suffix is the root entry in the directory tree, such asdc=example,dc=com. - Replication configuration attributes are stored under
cn=replica,cn=suffix,cn=mapping tree,cn=config. - Replication agreement attributes are stored under
cn=replicationAgreementName,cn=replica,cn=suffix,cn=mapping tree,cn=config. - Windows synchronization agreement attributes are stored under
cn=syncAgreementName,cn=replica,cn=suffix,cn=mapping tree,cn=config.
3.1.7. Suffix Configuration Attributes under cn=suffixName
cn=suffix entry. The cn=suffix entry is an instance of the nsMappingTree object class which inherits from the extensibleObject object class. For suffix configuration attributes to be taken into account by the server, these object classes (in addition to the top object class) must be present in the entry.
3.1.7.1. nsslapd-state
| Parameter | Description |
|---|---|
| Entry DN | cn=suffix,cn=mapping tree,cn=config |
| Valid Values |
backend | disabled | referral | referral on update
backend means the back end (database) processes all operations.
disabled means the database is not available for processing operations. The server returns a "No such search object" error in response to requests made by client applications.
referral means a referral is returned for requests made to this suffix.
referral on update means the database is used for all operations except update requests, which receive a referral.
|
| Default Value | backend |
| Syntax | DirectoryString |
| Example | nsslapd-state: backend |
3.1.7.2. nsslapd-backend
nsslapd-state attribute is set to backend or referral on update. The value should be the name of the back end database entry instance under cn=ldbm database,cn=plugins,cn=config. For example:
o=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
| Parameter | Description |
|---|---|
| Entry DN | cn=suffix,cn=mapping tree,cn=config |
| Valid Values | Any valid partition name |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-backend: userRoot |
3.1.8. Replication Attributes under cn=replica,cn=suffixDN,cn=mapping tree,cn=config
cn=replica,cn=suffix, cn=mapping tree,cn=config. The cn=replica entry is an instance of the nsDS5Replica object class. For replication configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. For further information about replication, see the "Managing Replication" chapter in the Directory Server Administrator's Guide.
3.1.8.1. nsds5DebugReplicaTimeout
nsds5debugreplicatimeout: seconds[:debuglevel]
| Parameter | Description |
|---|---|
| Entry DN | cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | Any numeric string |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsds5debugreplicatimeout: 60:8192 |
3.1.8.2. nsDS5Flags
| Parameter | Description | ||
|---|---|---|---|
| Entry DN | cn=replica,cn=suffixDN,cn=mapping tree,cn=config | ||
| Valid Values | 0 | 1
| ||
| Default Value | 0 | ||
| Syntax | Integer | ||
| Example | nsDS5Flags: 0 |
3.1.8.3. nsDS5ReplConflict
cn=replica entry, it is used in conjunction with replication. This multi-valued attribute is included on entries that have a change conflict that cannot be resolved automatically by the synchronization process. To check for replication conflicts requiring administrator intervention, perform an LDAP search for (nsDS5ReplConflict=*). For example:
ldapsearch -D "cn=directory manager" -W -p 389 -h server.example.com -x -s sub -b dc=example,dc=com "(|(objectclass=nsTombstone)(nsDS5ReplConflict=*))" dn nsDS5ReplConflict nsUniqueID
"(objectclass=nsTombstone)" also shows tombstone (deleted) entries. The value of the nsDS5ReplConflict contains more information about which entries are in conflict, usually by referring to them by their nsUniqueID. It is possible to search for a tombstone entry by its nsUniqueID. For example:
ldapsearch -D "cn=directory manager" -W -p 389 -h server.example.com -x -s sub -b dc=example,dc=com "(|(objectclass=nsTombstone)(nsUniqueID=66a2b699-1dd211b2-807fa9c3-a58714648))"
3.1.8.4. nsDS5ReplicaAbortCleanRUV
0 means that the task is inactive, and a value of 1 means that the task is active.
| Parameter | Description |
|---|---|
| Entry DN | cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | 0 | 1 |
| Default Value | None |
| Syntax | Integer |
| Example | nsDS5ReplicaAbortCleanRUV: 1 |
3.1.8.5. nsDS5ReplicaAutoReferral
| Parameter | Description |
|---|---|
| Entry DN | cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | on | off |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsDS5ReplicaAutoReferral: on |
3.1.8.6. nsDS5ReplicaBindDN
cn=replica entry, there can only be one supplier bind DN per replication agreement. Each value should be the DN of a local entry on the consumer server. If replication suppliers are using client certificate-based authentication to connect to the consumers, configure the certificate mapping on the consumer to map the subjectDN in the certificate to a local entry.
| Parameter | Description |
|---|---|
| Entry DN | cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | Any valid DN |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsDS5ReplicaBindDN: cn=replication manager,cn=config |
3.1.8.7. nsDS5ReplicaChangeCount
| Parameter | Description |
|---|---|
| Entry DN | cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Range | -1 to maximum 32-bit integer (2147483647) |
| Default Value | |
| Syntax | Integer |
| Example | nsDS5ReplicaChangeCount: 675 |
3.1.8.8. nsDS5ReplicaCleanRUV
0 means that the task is inactive, and a value of 1 means that the task is active.
| Parameter | Description |
|---|---|
| Entry DN | cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | 0 | 1 |
| Default Value | None |
| Syntax | Integer |
| Example | nsDS5ReplicaCleanRUV: 0 |
3.1.8.9. nsDS5ReplicaId
| Parameter | Description |
|---|---|
| Entry DN | cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Range | 0 to 65534 |
| Default Value | |
| Syntax | Integer |
| Example | nsDS5ReplicaId: 1 |
3.1.8.10. nsDS5ReplicaLegacyConsumer
false, then it means that the replica is not a legacy consumer.
| Parameter | Description |
|---|---|
| Entry DN | cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | true | false |
| Default Value | false |
| Syntax | DirectoryString |
| Example | nsDS5ReplicaLegacyConsumer: false |
3.1.8.11. nsDS5ReplicaName
Note
| Parameter | Description |
|---|---|
| Entry DN | cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | |
| Default Value | |
| Syntax | DirectoryString (a UID identifies the replica) |
| Example | nsDS5ReplicaName: 66a2b699-1dd211b2-807fa9c3-a58714648 |
3.1.8.12. nsDS5ReplicaPurgeDelay
nsDS5ReplicaPurgeDelay value is removed when an entry which contains the the state information is modified.
| Parameter | Description |
|---|---|
| Entry DN | cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Range | 0 (keep forever) to maximum 32-bit integer (2147483647) |
| Default Value | 604800 [1 week (60x60x24x7)] |
| Syntax | Integer |
| Example | nsDS5ReplicaPurgeDelay: 604800 |
3.1.8.13. nsDS5ReplicaReapActive
0 means that the task is inactive, and a value of 1 means that the task is active. The server ignores the modify request if this value is set manually.
| Parameter | Description |
|---|---|
| Entry DN | cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | 0 | 1 |
| Default Value | |
| Syntax | Integer |
| Example | nsDS5ReplicaReapActive: 0 |
3.1.8.14. nsDS5ReplicaReferral
| Parameter | Description |
|---|---|
| Entry DN | cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | Any valid LDAP URL |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsDS5ReplicaReferral: ldap://ldap.example.com |
3.1.8.15. nsDS5ReplicaReleaseTimeout
0 disables the timeout. Any other value determines the length of the timeout in seconds.
Note
0 but lower than 30. Short timeouts typically decrease replication performance.
| Parameter | Description |
|---|---|
| Entry DN | cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | 0 to maximum 32-bit integer (2147483647) in seconds |
| Default Value | |
| Syntax | Integer |
| Example | nsDS5ReplicaReleaseTimeout: 60 |
3.1.8.16. nsDS5ReplicaRoot
| Parameter | Description |
|---|---|
| Entry DN | cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | Suffix of the database being replicated, which is the suffix DN |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsDS5ReplicaRoot: "dc=example,dc=com" |
3.1.8.17. nsDS5ReplicaTombstonePurgeInterval
| Parameter | Description |
|---|---|
| Entry DN | cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Range | 0 to maximum 32-bit integer (2147483647) in seconds |
| Default Value | 86400 (1 day) |
| Syntax | Integer |
| Example | nsDS5ReplicaTombstonePurgeInterval: 86400 |
3.1.8.18. nsDS5ReplicaType
| Parameter | Description | ||||
|---|---|---|---|---|---|
| Entry DN | cn=replica,cn=suffixDN,cn=mapping tree,cn=config | ||||
| Valid Values | 0 | 1 | 2 | 3
| ||||
| Default Value | |||||
| Syntax | Integer | ||||
| Example | nsDS5ReplicaType: 2 |
3.1.8.19. nsds5Task
CLEANRUV or CLEANALLRUV task).
3.1.9. Replication Attributes under cn=ReplicationAgreementName,cn=replica,cn=suffixName,cn=mapping tree,cn=config
cn=ReplicationAgreementName, cn=replica,cn=suffixDN, cn=mapping tree,cn=config. The cn=ReplicationAgreementName entry is an instance of the nsDS5ReplicationAgreement object class. Replication agreements are configured only on supplier replicas.
3.1.9.1. cn
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | Any valid cn |
| Default Value | |
| Syntax | DirectoryString |
| Example | cn: MasterAtoMasterB |
3.1.9.2. description
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | Any string |
| Default Value | |
| Syntax | DirectoryString |
| Example | description: Replication Agreement between Server A and Server B. |
3.1.9.3. nsDS5ReplicaBindDN
cn=replica on the consumer replica. This may be empty if certificate-based authentication is used, in which case the DN used is the subject DN of the certificate, and the consumer must have appropriate client certificate mapping enabled. This can also be modified.
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | Any valid DN (can be empty if client certificates are used) |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsDS5ReplicaBindDN: cn=replication manager,cn=config |
3.1.9.4. nsDS5ReplicaBindMethod
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values |
SIMPLE | SSLCLIENTAUTH
The
SIMPLE bind method requires a DN and password.
|
| Default Value | SIMPLE |
| Syntax | DirectoryString |
| Example | nsDS5ReplicaBindMethod: SIMPLE |
3.1.9.5. nsDS5ReplicaBusyWaitTime
LDAP_UNWILLING_TO_PERFORM error code.
nsDS5ReplicaBusyWaitTime attribute works in conjunction with the nsDS5ReplicaSessionPauseTime attribute. The two attributes are designed so that the nsDS5ReplicaSessionPauseTime interval is always at least one second longer than the interval specified for nsDS5ReplicaBusyWaitTime. The longer interval gives waiting suppliers a better chance to gain consumer access before the previous supplier can re-access the consumer.
nsDS5ReplicaBusyWaitTime attribute at any time by using changetype:modify with the replace operation. The change takes effect for the next update session if one is already in progress.
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | Any valid integer |
| Default Value | 3 |
| Syntax | Integer |
| Example | nsDS5ReplicaBusyWaitTime: 3 |
3.1.9.6. nsDS5ReplicaChangesSentSinceStartup
nsds5replicaChangesSentSinceStartup:: MToxLzAg
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Range | 0 to maximum 32-bit integer (2147483647) |
| Default Value | |
| Syntax | Integer |
| Example | nsds5replicaChangesSentSinceStartup:: MToxLzAg |
3.1.9.7. nsDS5ReplicaCredentials
nsDS5ReplicaBindDN attribute) on the remote server containing the consumer replica. The value for this attribute can be modified. When certificate-based authentication is used, this attribute may not have a value. The example shows the dse.ldif entry, not the actual password. If this value over LDAP or using the Console, set it to the cleartext credentials, and let the server encrypt the value.
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | Any valid password, which is then encrypted using the DES reversible password encryption schema. |
| Default Value | |
| Syntax | DirectoryString {DES} encrypted_password |
| Example | nsDS5ReplicaCredentials:{DES} 9Eko69APCJfF08A0aD0C |
3.1.9.8. nsds5ReplicaEnabled
on, so that replication is enabled.
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsds5ReplicaEnabled: off |
3.1.9.9. nsds5ReplicaFlowControlPause
nsds5ReplicaFlowControlWindow parameter is reached. Updating both the nsds5ReplicaFlowControlWindow and nsds5ReplicaFlowControlPause parameters enables you to fine-tune the replication throughput. For further details, see Section 3.1.9.10, “nsds5ReplicaFlowControlWindow”.
| Parameter | Description |
|---|---|
| Entry DN | cn=replication_agreement_name,cn=replica,cn=suffix_DN,cn=mapping tree,cn=config |
| Valid Values | 0 to maximum 64-bit long |
| Default Value | 2000 |
| Syntax | Integer |
| Example | nsds5ReplicaFlowControlPause: 2000 |
3.1.9.10. nsds5ReplicaFlowControlWindow
nsds5ReplicaFlowControlPause parameter. Updating both the nsds5ReplicaFlowControlWindow and nsds5ReplicaFlowControlPause parameters enables you to fine-tune the replication throughput.
Total update flow control gives time (2000 msec) to the consumer before sending more entries [ msgid sent: xxx, rcv: yyy]) If total update fails you can try to increase nsds5ReplicaFlowControlPause and/or decrease nsds5ReplicaFlowControlWindow in the replica agreement configuration
| Parameter | Description |
|---|---|
| Entry DN | cn=replication_agreement_name,cn=replica,cn=suffix_DN,cn=mapping tree,cn=config |
| Valid Values | 0 to maximum 64-bit long |
| Default Value | 1000 |
| Syntax | Integer |
| Example | nsds5ReplicaFlowControlWindow: 1000 |
3.1.9.11. nsDS5ReplicaHost
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | Any valid host server name |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsDS5ReplicaHost: ldap2.example.com |
3.1.9.12. nsDS5ReplicaLastInitEnd
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | YYYYMMDDhhmmssZ is the date/time in Generalized Time form at which the connection was opened. This value gives the time in relation to Greenwich Mean Time. The hours are set with a 24-hour clock. The Z at the end indicates that the time is relative to Greenwich Mean Time. |
| Default Value | |
| Syntax | GeneralizedTime |
| Example | nsDS5ReplicaLastInitEnd: 20170504121603Z |
3.1.9.13. nsDS5ReplicaLastInitStart
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | YYYYMMDDhhmmssZ is the date/time in Generalized Time form at which the connection was opened. This value gives the time in relation to Greenwich Mean Time. The hours are set with a 24-hour clock. The Z at the end indicates that the time is relative to Greenwich Mean Time. |
| Default Value | |
| Syntax | GeneralizedTime |
| Example | nsDS5ReplicaLastInitStart: 20170503030405 |
3.1.9.14. nsDS5ReplicaLastInitStatus
0) means success.
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | 0 (Consumer Initialization Succeeded), followed by any other status message. |
| Default Value | |
| Syntax | String |
| Example | nsDS5ReplicaLastInitStatus: 0 Consumer Initialization Succeeded |
3.1.9.15. nsDS5ReplicaLastUpdateEnd
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | YYYYMMDDhhmmssZ is the date/time in Generalized Time form at which the connection was opened. This value gives the time in relation to Greenwich Mean Time. The hours are set with a 24-hour clock. The Z at the end indicates that the time is relative to Greenwich Mean Time. |
| Default Value | |
| Syntax | GeneralizedTime |
| Example | nsDS5ReplicaLastUpdateEnd: 20170502175801Z |
3.1.9.16. nsDS5ReplicaLastUpdateStart
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | YYYYMMDDhhmmssZ is the date/time in Generalized Time form at which the connection was opened. This value gives the time in relation to Greenwich Mean Time. The hours are set with a 24-hour clock. The Z at the end indicates that the time is relative to Greenwich Mean Time. |
| Default Value | |
| Syntax | GeneralizedTime |
| Example | nsDS5ReplicaLastUpdateStart: 20170504122055Z |
3.1.9.17. nsDS5ReplicaLastUpdateStatus
0) means success.
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | 0 (no replication sessions started), followed by any other error or status message |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsDS5ReplicaLastUpdateStatus: 0 replica acquired successfully |
3.1.9.18. nsDS5ReplicaPort
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | Port number for the remote server containing the replica |
| Default Value | |
| Syntax | Integer |
| Example | nsDS5ReplicaPort:389 |
3.1.9.19. nsDS5ReplicaReapActive
0) means that the task is inactive, and a value of 1 means that the task is active. If this value is set manually, the server ignores the modify request.
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | 0 | 1 |
| Default Value | |
| Syntax | Integer |
| Example | nsDS5ReplicaReapActive: 0 |
3.1.9.20. nsDS5BeginReplicaRefresh
start, then the server initializes the replica and removes the attribute value. To monitor the status of the initialization procedure, poll for this attribute. When initialization is finished, the attribute is removed from the entry, and the other monitoring attributes can be used for detailed status inquiries.
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | stop | start |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsDS5BeginReplicaRefresh: start |
3.1.9.21. nsDS5ReplicaRoot
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | Suffix of the database being replicated - same as suffixDN above |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsDS5ReplicaRoot: "dc=example,dc=com" |
3.1.9.22. nsDS5ReplicaSessionPauseTime
0. If the attribute is set to a negative value, Directory Server sends the client a message and an LDAP_UNWILLING_TO_PERFORM error code.
nsDS5ReplicaSessionPauseTime attribute works in conjunction with the nsDS5ReplicaBusyWaitTime attribute. The two attributes are designed so that the nsDS5ReplicaSessionPauseTime interval is always at least one second longer than the interval specified for nsDS5ReplicaBusyWaitTime. The longer interval gives waiting suppliers a better chance to gain consumer access before the previous supplier can re-access the consumer.
- If either attribute is specified but not both,
nsDS5ReplicaSessionPauseTimeis set automatically to1second more thannsDS5ReplicaBusyWaitTime. - If both attributes are specified, but
nsDS5ReplicaSessionPauseTimeis less than or equal tonsDS5ReplicaBusyWaitTime,nsDS5ReplicaSessionPauseTimeis set automatically to1second more thannsDS5ReplicaBusyWaitTime.
nsDS5ReplicaSessionPauseTime interval is at least 1 second longer than the interval specified for nsDS5ReplicaBusyWaitTime. Increase the interval as needed until there is an acceptable distribution of consumer access among the suppliers.
nsDS5ReplicaSessionPauseTime attribute at any time by using changetype:modify with the replace operation. The change takes effect for the next update session if one is already in progress.
nsDS5ReplicaSessionPauseTime automatically, the value is changed internally only. The change is not visible to clients, and it is not saved to the configuration file. From an external viewpoint, the attribute value appears as originally set.
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | Any valid integer |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsDS5ReplicaSessionPauseTime: 0 |
3.1.9.23. nsds5ReplicaStripAttrs
nsDS5ReplicatedAttributeList). However, a change to an excluded attribute still triggers a modify event and generates an empty replication update.
nsds5ReplicaStripAttrs attribute adds a list of attributes which cannot be sent in an empty replication event and are stripped from the update sequence. This logically includes operational attribtes like modifiersName.
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Range | A space-separated list of any supported directory attribute |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsds5ReplicaStripAttrs: modifiersname modifytimestamp |
3.1.9.24. nsDS5ReplicatedAttributeList
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Range | |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE accountlockout memberof |
3.1.9.25. nsDS5ReplicatedAttributeListTotal
nsDS5ReplicatedAttributeList sets the incremental replication list; if only nsDS5ReplicatedAttributeList is set, then this list applies to total updates as well.
nsDS5ReplicatedAttributeListTotal sets the list of attributes to exclude only from a total update.
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Range | |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE accountlockout |
3.1.9.26. nsDS5ReplicaTimeout
Warning: timed out waiting messages in the error log file, then increase the value of this attribute.
nsDS5ReplicaTimeout attribute accordingly to optimize performance.
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Range | 0 to maximum 32-bit integer value (2147483647) in seconds |
| Default Value | 600 |
| Syntax | Integer |
| Example | nsDS5ReplicaTimeout: 600 |
3.1.9.27. nsDS5ReplicaTransportInfo
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | SSL | LDAP |
| Default Value | absent |
| Syntax | DirectoryString |
| Example | nsDS5ReplicaTransportInfo: LDAP |
3.1.9.28. nsDS5ReplicaUpdateInProgress
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | true | false |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsDS5ReplicaUpdateInProgress: true |
3.1.9.29. nsDS5ReplicaUpdateSchedule
0000-0001 0, this in effect causes the server to stop sending updates for this replication agreement. The server continues to store them for replay later. If the value is later changed back to 0000-2359 0123456, this makes replication immediately resume and sends all pending changes.
| Parameter | Description |
|---|---|
| Entry DN | cn=ReplicationAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Range | Time schedule presented as XXXX-YYYY 0123456, where XXXX is the starting hour, YYYY is the finishing hour, and the numbers 0123456 are the days of the week starting with Sunday. |
| Default Value | 0000-2359 0123456 (all the time) |
| Syntax | Integer |
| Example | nsDS5ReplicaUpdateSchedule: 0000-2359 0123456 |
3.1.10. Synchronization Attributes under cn=syncAgreementName,cn=WindowsReplica,cn=suffixName,cn=mapping tree,cn=config
cn=syncAgreementName, cn=WindowsReplica,cn=suffixDN, cn=mapping tree,cn=config. The cn=syncAgreementName entry is an instance of the nsDSWindowsReplicationAgreement object class. For synchronization agreement configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. Synchronization agreements are configured only on databases that are enabled to synchronize with Windows Active Directory servers.
3.1.10.1. nsds7DirectoryReplicaSubtree
| Parameter | Description |
|---|---|
| Entry DN | cn=syncAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | Any valid suffix or subsuffix |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsDS7DirectoryReplicaSubtree: ou=People,dc=example,dc=com |
3.1.10.2. nsds7DirsyncCookie
| Parameter | Description |
|---|---|
| Entry DN | cn=syncAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | Any string |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsDS7DirsyncCookie::khDKJFBZsjBDSCkjsdhIU74DJJVBXDhfvjmfvbhzxj |
3.1.10.3. nsds7NewWinGroupSyncEnabled
| Parameter | Description |
|---|---|
| Entry DN | cn=syncAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | on | off |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsDS7NewWinGroupSyncEnabled: on |
3.1.10.4. nsds7NewWinUserSyncEnabled
| Parameter | Description |
|---|---|
| Entry DN | cn=syncAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | on | off |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsDS7NewWinUserSyncEnabled: on |
3.1.10.5. nsds7WindowsDomain
| Parameter | Description |
|---|---|
| Entry DN | cn=syncAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | Any valid domain name |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsDS7WinndowsDomain: DOMAINWORLD |
3.1.10.6. nsds7WindowsReplicaSubtree
| Parameter | Description |
|---|---|
| Entry DN | cn=syncAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | Any valid suffix or subsuffix |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsDS7WindowsReplicaSubtree: cn=Users,dc=domain,dc=com |
3.1.10.7. oneWaySync
| Parameter | Description |
|---|---|
| Entry DN | cn=syncAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | toWindows | fromWindows | null |
| Default Value | |
| Syntax | DirectoryString |
| Example | oneWaySync: fromWindows |
3.1.10.8. winSyncInterval
300 (300 seconds).
| Parameter | Description |
|---|---|
| Entry DN | cn=syncAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | 1 to the maximum 32-bit integer value (2147483647) |
| Default Value | 300 |
| Syntax | Integer |
| Example | winSyncInterval: 600 |
3.1.10.9. winSyncMoveAction
samAccount in the Active Directory and the uid attribute in Directory Server. The synchronization plug-in notes if a previously synced entry (based on the samAccount/uid relationship) is removed from the synced subtree either because it is deleted or moved, then the synchronization plug-in recognizes that the entry is no longer to be synced.
winSyncMoveAction attribute for the synchronization agreement sets instructions on how to handle these moved entries:
nonetakes no action, so if a synced Directory Server entry exists, it may be synced over to or create an Active Directory entry within scope. If no synced Directory Server entry exists, nothing happens at all (this is the default behavior).unsyncremoves any sync-related attributes (ntUserorntGroup) from the Directory Server entry but otherwise leaves the Directory Server entry intact. The Active Directory and Directory Server entries exist in tandem.Important
There is a risk when unsyncing entries that the Active Directory entry may be deleted at a later time, and the Directory Server entry will be left intact. This can create data inconsistency issues, especially if the Directory Server entry is ever used to recreate the entry on the Active Directory side later.deletedeletes the corresponding entry on the Directory Server side, regardless of whether it was ever synced with Active Directory (this was the default behavior in 9.0).Important
You almost never want to delete a Directory Server entry without deleting the corresponding Active Directory entry. This option is available only for compatibility with Directory Server 9.0 systems.
| Parameter | Description |
|---|---|
| Entry DN | cn=syncAgreementName,cn=replica,cn=suffixDN,cn=mapping tree,cn=config |
| Valid Values | none | delete | unsync |
| Default Value | none |
| Syntax | DirectoryString |
| Example | winSyncMoveAction: unsync |
3.1.11. cn=monitor
cn=monitor. This entry and its children are read-only; clients cannot directly modify them. The server updates this information automatically. This section describes the cn=monitor attributes. The only attribute that can be changed by a user to set access control is the aci attribute.
nsslapd-counters attribute in cn=config is set to on (the default setting), then all of the counters kept by the Directory Server instance increment using 64-bit integers, even on 32-bit machines or with a 32-bit version of Directory Server. For the cn=monitor entry, the 64-bit integers are used with the opsinitiated, opscompleted, entriessent, and bytessent counters.
Note
nsslapd-counters attribute enables 64-bit support for these specific database and server counters. The counters which use 64-bit integers are not configurable; the 64-bit integers are either enabled for all the allowed counters or disabled for all allowed counters.
This attribute lists open connections. These are given in the following format:
connection: A:YYYYMMDDhhmmssZ:B:C:D:EFor example:
connection: 31:20010201164808Z:45:45::cn=directory manager
- A is the connection number, which is the number of the slot in the connection table associated with this connection. This is the number logged as
slot=A in the access log message when this connection was opened, and usually corresponds to the file descriptor associated with the connection. The attributedTableSizeshows the total size of the connection table. - YYYYMMDDhhmmssZ is the date and time, in GeneralizedTime form, at which the connection was opened. This value gives the time in relation to Greenwich Mean Time.
- B is the number of operations received on this connection.
- C is the number of completed operations.
- D is
rif the server is in the process of reading BER from the network, empty otherwise. This value is usually empty (as in the example). - E this is the bind DN. This may be empty or have value of
NULLDNfor anonymous connections.
This attribute shows the number of currently open and active Directory Server connections.
This attribute shows the total number of Directory Server connections. This number includes connections that have been opened and closed since the server was last started in addition to the currentConnections.
This attribute shows the size of the Directory Server connection table. Each connection is associated with a slot in this table, and usually corresponds to the file descriptor used by this connection. See Section 3.1.1.42, “nsslapd-conntablesize” for more information.
This attribute shows the number of connections where some requests are pending and not currently being serviced by a thread in Directory Server.
This attribute shows the current time, given in Greenwich Mean Time (indicated by generalizedTime syntax Z notation; for example, 20170202131102Z).
This attribute shows the Directory Server start time given in Greenwich Mean Time, indicated by generalizedTime syntax Z notation. For example, 20170202131102Z.
This attribute shows the Directory Server vendor, version, and build number. For example, Red Hat/9.0.1 B2017.274.08.
This attribute shows the number of threads used by the Directory Server. This should correspond to nsslapd-threadnumber in cn=config.
This attribute shows the DN for each Directory Server database back end. For further information on monitoring the database, see the following sections:
3.1.12. cn=replication
cn=replication node, which serves as a placeholder.
3.1.13. cn=sasl
cn=mapping,cn=sasl,cn=config. The cn=sasl entry is an instance of the nsContainer object class. Each mapping underneath it is an instance of the nsSaslMapping object class.
3.1.13.1. nsSaslMapBaseDNTemplate
| Parameter | Description |
|---|---|
| Entry DN | cn=mapping_name,cn=mapping,cn=sasl,cn=config |
| Valid Values | Any valid DN |
| Default Value | |
| Syntax | IA5String |
| Example | nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com |
3.1.14. cn=SNMP
cn=SNMP,cn=config. The cn=SNMP entry is an instance of the nsSNMP object class.
3.1.14.1. nssnmpenabled
| Parameter | Description |
|---|---|
| Entry DN | cn=SNMP,cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nssnmpenabled: off |
3.1.14.2. nssnmporganization
| Parameter | Description |
|---|---|
| Entry DN | cn=SNMP,cn=config |
| Valid Values | Organization name |
| Default Value | |
| Syntax | DirectoryString |
| Example | nssnmporganization: Red Hat, Inc. |
3.1.14.3. nssnmplocation
| Parameter | Description |
|---|---|
| Entry DN | cn=SNMP,cn=config |
| Valid Values | Location |
| Default Value | |
| Syntax | DirectoryString |
| Example | nssnmplocation: B14 |
3.1.14.4. nssnmpcontact
| Parameter | Description |
|---|---|
| Entry DN | cn=SNMP,cn=config |
| Valid Values | Contact email address |
| Default Value | |
| Syntax | DirectoryString |
| Example | nssnmpcontact: jerome@example.com |
3.1.14.5. nssnmpdescription
| Parameter | Description |
|---|---|
| Entry DN | cn=SNMP,cn=config |
| Valid Values | Description |
| Default Value | |
| Syntax | DirectoryString |
| Example | nssnmpdescription: Employee directory instance |
3.1.14.6. nssnmpmasterhost
nssnmpmasterhost is deprecated. This attribute is deprecated with the introduction of net-snmp. The attribute still appears in dse.ldif but without a default value.
| Parameter | Description |
|---|---|
| Entry DN | cn=SNMP,cn=config |
| Valid Values | machine host name or localhost |
| Default Value | <blank> |
| Syntax | DirectoryString |
| Example | nssnmpmasterhost: localhost |
3.1.14.7. nssnmpmasterport
nssnmpmasterport attribute was deprecated with the introduction of net-snmp. The attribute still appears in dse.ldif but without a default value.
| Parameter | Description |
|---|---|
| Entry DN | cn=SNMP,cn=config |
| Valid Values | Operating system dependent port number. See the operating system documentation for further information. |
| Default Value | <blank> |
| Syntax | Integer |
| Example | nssnmpmasterport: 199 |
3.1.15. SNMP Statistic Attributes
nsslapd-counters attribute in cn=config is set to on (the default setting), then all of the counters kept by the Directory Server instance increment using 64-bit integers, even on 32-bit machines or with a 32-bit version of Directory Server. All of the SNMP statistics attributes use the 64-bit integers, if it is configured.
Note
nsslapd-counters attribute enables 64-bit integers for these specific database and server counters. The counters which use 64-bit integers are not configurable; 64-bit integers are either enabled for all the allowed counters or disabled for all allowed counters.
Table 3.7. SNMP Statistic Attributes
| Attribute | Description |
|---|---|
| AnonymousBinds | This shows the number of anonymous bind requests. |
| UnAuthBinds | This shows the number of unauthenticated (anonymous) binds. |
| SimpleAuthBinds | This shows the number of LDAP simple bind requests (DN and password). |
| StrongAuthBinds | This shows the number of LDAP SASL bind requests, for all SASL mechanisms. |
| BindSecurityErrors | This shows the number of number of times an invalid password was given in a bind request. |
| InOps | This shows the total number of all requests received by the server. |
| ReadOps | Not used. This value is always 0. |
| CompareOps | This shows the number of LDAP compare requests. |
| AddEntryOps | This shows the number of LDAP add requests. |
| RemoveEntryOps | This shows the number of LDAP delete requests. |
| ModifyEntryOps | This shows the number of LDAP modify requests. |
| ModifyRDNOps | This shows the number of LDAP modify RDN (modrdn) requests. |
| ListOps | Not used. This value is always 0. |
| SearchOps | This shows the number of LDAP search requests. |
| OneLevelSearchOps | This shows the number of one-level search operations. |
| WholeSubtreeSearchOps | This shows the number of subtree-level search operations. |
| Referrals | This shows the number of LDAP referrals returned. |
| Chainings | Not used. This value is always 0. |
| SecurityErrors | This shows the number of errors returned that were security related, such as invalid passwords, unknown or invalid authentication methods, or stronger authentication required. |
| Errors | This shows the number of errors returned. |
| Connections | This shows the number of currently open connections. |
| ConnectionSeq | This shows the total number of connections opened, including both currently open and closed connections. |
| BytesRecv | This shows the number of bytes received. |
| BytesSent | This shows the number of bytes sent. |
| EntriesReturned | This shows the number of entries returned as search results. |
| ReferralsReturned | This provides information on referrals returned as search results (continuation references). |
| MasterEntries | Not used. This value is always 0. |
| CopyEntries | Not used. This value is always 0. |
| CacheEntries[a] | If the server has only one database back end, this is the number of entries cached in the entry cache. If the server has more than one database back end, this value is 0, and see the monitor entry for each one for more information. |
| CacheHits[a] | If the server has only one database back end, this is the number of entries returned from the entry cache, rather than from the database, for search results. If the server has more than one database back end, this value is 0, and see the monitor entry for each one for more information. |
| SlaveHits | Not used. This value is always 0. |
[a]
CacheEntries and CacheHits are updated every ten (10) seconds. Red Hat strongly encourages using the database back end specific monitor entries for this and other database information.
| |
3.1.16. cn=tasks
cn=tasks. Each task can be invoked by updating an entry such as the following:
dn: cn=task_id,cn=task_type,cn=tasks,cn=config ...
cn=tasks entry.
cn=tasks entry:
cn=tasks entry itself has no attributes and serves as the parent and container entry for the individual task entries.
Important
ttl period expires. Then, the entry is deleted automatically by the server.
3.1.16.1. Task Invocation Attributes for Entries under cn=tasks
extensibleObject, and have certain common attributes which describe the state and behavior of Directory Server tasks. The task types can be import, export, backup, restore, index, schema reload, and memberof.
The cn attribute identifies a new task operation to initiate. The cn attribute value can be anything, as long as it defines a new task.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=task_type,cn=tasks,cn=config |
| Valid Values | Any string |
| Default Value | |
| Syntax | DirectoryString |
| Example | cn: example task entry name |
This attribute contains changing information about the status of the task, such as cumulative statistics or its current output message. The entire contents of the attribute may be updated periodically for as long as the process is running.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=task_type,cn=tasks,cn=config |
| Valid Values | Any string |
| Default Value | |
| Syntax | case-exact string |
| Example | nsTaskStatus: Loading entries.... |
This entry contains all of the log messages for the task, including bothwarning and information messages. New messages are appended to the end of the entry value, so this attribute value grows larger, without erasing the original contents, by default.
nsTaskExitCode of 0, are only recorded in the nsTaskLog attribute. Any non-zero response, which indicates an error, may be recorded in the error log as an error, but the error message is only recorded in the nsTaskLog attribute. For this reason, use the information in the nsTaskLog attribute to find out what errors actuall occurred.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=task_type,cn=tasks,cn=config |
| Valid Values | Any string |
| Default Value | |
| Syntax | Case-exact string |
| Example | nsTaskLog: example... |
This attribute contains the exit code for the task. This attribute only exists after the task is completed and any value is only valid if the task is complete. The result code can be any LDAP exit code, as listed in Section 7.4, “LDAP Result Codes”, but only a 0 value equals success; any other result code is an error.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=task_type,cn=tasks,cn=config |
| Valid Values | 0 (success) to 97[a] |
| Default Value | |
| Syntax | Integer |
| Example | nsTaskExitCode: 0 |
[a]
Any response other than 0 is an error.
| |
This attribute shows the number of subtask which the task operation has completed, assuming the task can be broken down into subtasks. If there is only one task, then nsTaskCurrentItem is 0 while the task is running, and 1 when the task is complete. In this way, the attribute is analogous to a progress bar. When the nsTaskCurrentItem attribute has the same value as nsTaskTotalItems, then the task is completed.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=task_type,cn=tasks,cn=config |
| Valid Values | 0 to the maximum 32 bit integer value (2147483647) |
| Default Value | |
| Syntax | Integer |
| Example | nsTaskCurrentItem: 148 |
This attribute shows the total number of subtasks that must be completed for the task operation. When the nsTaskCurrentItem attribute has the same value as nsTaskTotalItems, then the task is completed.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=task_type,cn=tasks,cn=config |
| Valid Values | 0 to the maximum 32 bit integer value (2147483647) |
| Default Value | |
| Syntax | Integer |
| Example | nsTaskTotalItems: 152 |
This attribute allows a task to be aborted while in progress. This attribute can be modified by users.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=task_type,cn=tasks,cn=config |
| Valid Values | true | false |
| Default Value | |
| Syntax | Case-insensitive string |
| Example | nsTaskCancel: true |
This attribute sets the amount of time (in seconds) the task entry will remain in the DSE after the task has finished or aborted. Setting a ttl attribute allows the task entry to be polled for new status information without missing the exit code. Setting the ttl attribute to 0 means that the entry is not cached.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=task_type,cn=tasks,cn=config |
| Valid Values | 0 (cannot be cached) to the maximum 32 bit integer value (2147483647) |
| Default Value | |
| Syntax | DirectoryString |
| Example | ttl: 120 |
3.1.16.2. cn=import
cn=import entry is a container entry for import task operations. The cn=import entry itself has no attributes, but each of the task entries within this entry, such as cn=task_ID, cn=import, cn=tasks, cn=config, uses the following attributes to define the import task.
cn=import must contain the LDIF file to import (in the nsFilename attribute) and the name of the instance into which to import the file (in the nsInstance attribute). Additionally, it must contain a unique cn to identify the task. For example:
dn: cn=example import,cn=import,cn=tasks,cn=config objectclass: extensibleObject cn: example import nsFilename: /home/files/example.ldif nsInstance: userRoot
ldif2db and ldif2db.pl scripts:
- nsIncludeSuffix, which is analogous to the
-soption to specify the suffix to import - nsExcludeSuffix, analogous to the
-xoption to specify a suffix or subtree to exclude from the import - nsImportChunkSize, analogous to the
-coption to override starting a new pass during the import and merge the chunks - nsImportIndexAttrs, which sets whether to import attribute indexes (with no corollary in the script options)
- nsUniqueIdGenerator, analogous to the
-goption to generate unique ID numbers for the entries - nsUniqueIdGeneratorNamespace, analogous to the
-Goption to generate a unique, name-based ID for the entries
The nsFilename attribute contains the path and filenames of the LDIF files to import into the Directory Server instance. To import multiple files, add multiple instances of this attribute. For example:
nsFilename: file1.ldif nsFilename: file2.ldif
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=import,cn=tasks,cn=config |
| Valid Values | Any string |
| Default Value | |
| Syntax | Case-exact string, multi-valued |
| Example | nsFilename: /home/jsmith/example.ldif |
This attribute supplies the name of the database instance into which to import the files, such as NetscapeRoot or slapd-example.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=import,cn=tasks,cn=config |
| Valid Values | The name of a Directory Server instance (any string) |
| Default Value | |
| Syntax | Case-exact string |
| Example | nsInstance: userRoot |
This attribute identifies a specific suffix or subtree to import from the LDIF file.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=import,cn=tasks,cn=config |
| Valid Values | Any DN |
| Default Value | |
| Syntax | DN, multi-valued |
| Example | nsIncludeSuffix: ou=people,dc=example,dc=com |
This attribute identifies suffixes or subtrees in the LDIF file to exclude from the import.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=import,cn=tasks,cn=config |
| Valid Values | Any DN |
| Default Value | |
| Syntax | DN, multi-valued |
| Example | nsExcludeSuffix: ou=machines,dc=example,dc=com |
This attribute defines the number of chunks to have during the import operation, which overrides the server's detection during the import of when to start a new pass and merges the chunks.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=import,cn=tasks,cn=config |
| Valid Values | 0 to the maximum 32 bit integer value (2147483647) |
| Default Value | |
| Syntax | Integer |
| Example | nsImportChunkSize: 10 |
This attribute sets whether to index the attributes that are imported into database instance.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=import,cn=tasks,cn=config |
| Valid Values | true | false |
| Default Value | true |
| Syntax | Case-insensitive string |
| Example | nsImportIndexAttrs: true |
This sets whether to generate a unique ID for the imported entries. By default, this attribute generates time-based IDs.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=import,cn=tasks,cn=config |
| Valid Values | none (no unique ID) | empty (time-based ID) | deterministic namespace (name-based ID) |
| Default Value | empty |
| Syntax | Case-insensitive string |
| Example | nsUniqueIdGenerator: |
This attribute defines how to generate name-based IDs; the attribute sets the namespace to use to generate the IDs. This option is useful to import the same LDIF file into two Directory Server instances when the entries need to have the same IDs.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=import,cn=tasks,cn=config |
| Valid Values | Any string |
| Default Value | |
| Syntax | Case-insensitive string |
| Example | nsUniqueIdGeneratorNamespace: example |
3.1.16.3. cn=export
cn=export entry is a container entry for export task operations. The cn=export entry itself has no attributes, but each of the task entries within this entry, such as cn=task_ID, cn=export, cn=tasks, cn=config, uses the following attributes to define the export task.
cn=export must contain the name of the database to export (in the nsInstance attribute) and the name of the LDIF file to write the output to (in the nsFilename attribute). Additionally, it must contain a unique cn to identify the task. For example:
dn: cn=example export,cn=export,cn=tasks,cn=config objectclass: extensibleObject cn: example export nsInstance: userRoot nsFilename: /home/files/example.ldif
db2ldif and db2ldif.pl scripts:
- nsIncludeSuffix, analagous to the
-soption, to specify the suffixes to include in the exported LDIF files - nsExcludeSuffix, analagous to the
-xoption, to exclude the specified suffixes from the exported LDIF files - nsUseOneFile, analagous to the
-Moption, to break up the exported suffixes into individual LDIF files - nsExportReplica, analagous to the
-roption, to indicate whether the exported database is used in replication - nsPrintKey, analagous to the
-Noption, to set whether to print the entry IDs as the entries are processed by the export operation - nsUseId2Entry, analagous to the
-Coption, to set whether to use only the main index,id2entry, to list the entries to export - nsNoWrap, analagous to the
-Uoption, to set whether to wrap long lines in the LDIF file - nsDumpUniqId, analagous to the
-uoption, to set whether to include the unique IDs with the entries when they are exported
The nsFilename attribute contains the path and filenames of the LDIF files to which to export the Directory Server instance database.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=export,cn=tasks,cn=config |
| Valid Values | Any string |
| Default Value | |
| Syntax | Case-exact string, multi-valued |
| Example | nsFilename: /home/jsmith/example.ldif |
This attribute supplies the name of the database instance from which to export the database, such as NetscapeRoot or userRoot.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=export,cn=tasks,cn=config |
| Valid Values | The name of a Directory Server instance (any string) |
| Default Value | |
| Syntax | Case-exact string, multi-valued |
| Example | nsInstance: userRoot |
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=export,cn=tasks,cn=config |
| Valid Values | Any DN |
| Default Value | |
| Syntax | DN, multi-valued |
| Example | nsIncludeSuffix: ou=people,dc=example,dc=com |
This attribute identifies suffixes or subtrees in the database to exclude from the exported LDIF file.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=export,cn=tasks,cn=config |
| Valid Values | Any DN |
| Default Value | |
| Syntax | DN, multi-valued |
| Example | nsExcludeSuffix: ou=machines,dc=example,dc=com |
This attribute sets whether to export all Directory Server instances to a single LDIF file or separate LDIF files.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=export,cn=tasks,cn=config |
| Valid Values | true | false |
| Default Value | false |
| Syntax | Case-insensitive string |
| Example | nsUseOneFile: true |
This attribute identifies whether the exported database will be used in replication. For replicas, the proper attributes and settings will be included with the entry to initialize the replica automatically.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=export,cn=tasks,cn=config |
| Valid Values | true | false |
| Default Value | false |
| Syntax | Case-insensitive string |
| Example | nsExportReplica: true |
This attribute sets whether to print the entry ID number as the entry is processed by the export task.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=export,cn=tasks,cn=config |
| Valid Values | true | false |
| Default Value | true |
| Syntax | Case-insensitive string |
| Example | nsPrintKey: false |
The nsUseId2Entry attribute uses the main database index, id2entry, to define the exported LDIF entries.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=export,cn=tasks,cn=config |
| Valid Values | true | false |
| Default Value | false |
| Syntax | Case-insensitive string |
| Example | nsUseId2Entry: true |
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=export,cn=tasks,cn=config |
| Valid Values | true | false |
| Default Value | false |
| Syntax | Case-insensitive string |
| Example | nsNoWrap: false |
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=export,cn=tasks,cn=config |
| Valid Values | true | false |
| Default Value | false |
| Syntax | Case-insensitive string |
| Example | nsDumpUniqId: true |
3.1.16.4. cn=backup
cn=backup entry is a container entry for backup task operations. The cn=backup entry itself has no attributes, but each of the task entries within this entry, such as cn=task_ID, cn=backup, cn=tasks, cn=config, uses the following attributes to define the backup task.
cn=backup must contain the location of the directory to which to copy the archive copy (in the nsArchiveDir attribute) and the type of database being backed up (in the nsDatabaseTypes attribute). Additionally, it must contain a unique cn to identify the task. For example:
dn: cn=example backup,cn=backup,cn=tasks,cn=config objectclass: extensibleObject cn: example backup nsArchiveDir: /export/backups/ nsDatabaseType: ldbm database
nsslapd-bakdir attribute.
cn=backup task, the task will fail with an LDAP object class violation error (65).
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=backup,cn=tasks,cn=config |
| Valid Values | Any local directory location |
| Default Value | |
| Syntax | Case-exact string |
| Example | nsArchiveDir: /export/backups |
This attribute gives the kind of database being archived. Setting the database types signals what kind of backup plug-in the Directory Server should use to archive the database.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=backup,cn=tasks,cn=config |
| Valid Values | ldbm database |
| Default Value | ldbm database |
| Syntax | Case-exact string |
| Example | nsDatabaseType: ldbm database |
3.1.16.5. cn=restore
cn=restore entry is a container entry for task operations to restore a database. The cn=restore entry itself has no attributes, but each of the task entries within this entry, such as cn=task_ID, cn=restore, cn=tasks, cn=config, uses the following attributes to define the restore task.
cn=restore must contain the location of the directory from which to retrieve the archive copy (in the nsArchiveDir attribute) and the type of database being restored (in the nsDatabaseTypes attribute). Additionally, it must contain a unique cn to identify the task. For example:
dn: cn=example restore,cn=restore,cn=tasks,cn=config objectclass: extensibleObject cn: example restore nsArchiveDir: /export/backups/ nsDatabaseType: ldbm database
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=restore,cn=tasks,cn=config |
| Valid Values | Any local directory location |
| Default Value | |
| Syntax | Case-exact string |
| Example | nsArchiveDir: /export/backups |
This attribute gives the kind of database being archived. Setting the database types signals what kind of backup plug-in the Directory Server should use to archive the database.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=restore,cn=tasks,cn=config |
| Valid Values | ldbm database |
| Default Value | ldbm database |
| Syntax | Case-exact string |
| Example | nsDatabaseType: ldbm database |
3.1.16.6. cn=index
cn=index entry is a container entry for index task operations. The cn=index entry itself has no attributes, but each of the task entries within this entry, such as cn=task_ID, cn=index, cn=tasks, cn=config, uses the following attributes to define the backup task.
cn=index can create a standard index by identifying the attribute to be indexed and the type of index to create, both defined in the nsIndexAttribute attribute.
vlvindex script.
dn: cn=example presence index,cn=index,cn=tasks,cn=config objectclass: top objectclass: extensibleObject cn: example presence index nsInstance: userRoot nsIndexAttribute: "cn:pres" dn: cn=example VLV index,cn=index,cn=tasks,cn=config objectclass: extensibleObject cn: example VLV index nsIndexVLVAttribute: "by MCC ou=people,dc=example,dc=com"
This attribute gives the name of the attribute to index and the types of indexes to apply. The format of the attribute value is the attribute name and a comma-separated list of index types, enclosed in double quotation marks. For example:
nsIndexAttribute: attribute:index1,index2
| Parameter | Description | ||
|---|---|---|---|
| Entry DN | cn=task_name,cn=index,cn=tasks,cn=config | ||
| Valid Values |
| ||
| Default Value | |||
| Syntax | Case-insensitive string, multi-valued | ||
| Example |
|
This attribute gives the name of the target entry for a VLV index. A virtual list view is based on a browsing index entry (as described in the Administrator's Guide), which defines the virtual list base DN, scope, and filter. The nsIndexVLVAttribute value is the browsing index entry, and the VLV creation task is run according to the browsing index entry parameters.
| Parameter | Description | ||
|---|---|---|---|
| Entry DN | cn=task_name,cn=index,cn=tasks,cn=config | ||
| Valid Values |
| ||
| Default Value | |||
| Syntax | Case-insensitive string, multi-valued | ||
| Example |
|
3.1.16.7. cn=schema reload task
cn=tasks entry.
/etc/dirsrv/slapd-instance_name/schema directory.
Important
dn: cn=example schema reload,cn=schema reload task,cn=tasks,cn=config objectclass: extensibleObject cn:example schema reload schemadir: /export/schema
cn=schema reload task entry is a container entry for schema reload operations. The cn=schema reload task entry itself has no attributes, but each of the task entries within this entry, such as cn=task_ID, cn=schema reload task, cn=tasks, cn=config, uses the schema reload attributes to define the individual reload task.
The cn attribute identifies a new task operation to initiate. The cn attribute value can be anything, as long as it defines a new task.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=schema reload task,cn=tasks,cn=config |
| Valid Values | Any string |
| Default Value | |
| Syntax | DirectoryString |
| Example | cn: example reload task ID |
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=schema reload task,cn=tasks,cn=config |
| Valid Values | Any local directory path |
| Default Value | /etc/dirsrv/schema |
| Syntax | DirectoryString |
| Example | schemadir: /export/schema/ |
3.1.16.8. cn=memberof task
memberOf attribute is created and managed by the Directory Server automatically to display group membership on the members' user entries. When the member attribute on a group entry is changed, all of the members' associated directory entries are automatically updated with their corresponding memberOf attributes.
cn=memberof task (and the related fixup-memberof.pl script) is used to create the initial memberOf attributes on the member's user entries in the directory. After the memberOf attributes are created, then the MemberOf Plug-in manages the memberOf attributes automatically.
memberOf update task must give the DN of the entry or subtree to run the update task against (set in the basedn attribute). Optionally, the task can include a filter to identify the members' user entries to update (set in the filter attribute). For example:
dn: cn=example memberOf,cn=memberof task,cn=tasks,cn=config objectclass: extensibleObject cn:example memberOf basedn: ou=people,dc=example,dc=com filter: (objectclass=groupofnames)
cn=memberof task entry is a container entry for memberOf update operations. The cn=memberof task entry itself has no attributes, but each of the task entries beneath this entry, such as cn=task_ID, cn=memberof task, cn=tasks, cn=config, uses its attributes to define the individual update task.
This attribute gives the base DN to use to search for the user entries to update the memberOf attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=memberof task,cn=tasks,cn=config |
| Valid Values | Any DN |
| Default Value | |
| Syntax | DN |
| Example | basedn: ou=people,dc=example,dc=com |
This attribute gives an optional LDAP filter to use to select which user entries to update the memberOf attribute. Each member of a group has a corresponding user entry in the directory.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=memberof task,cn=tasks,cn=config |
| Valid Values | Any LDAP filter |
| Default Value | (objectclass=*) |
| Syntax | DirectoryString |
| Example | filter: (l=Sunnyvale) |
3.1.16.9. cn=fixup linked attributes
member attribute in group entries to set memberOf attribute in user entries. With linked attributes, any attribute can be defined as a "link," and then another attribute is "managed" in affected entries.
cn=fixup linked attributes (and the related fixup-linkedattrs.pl script) creates the managed attributes — based on link attributes that already exist in the database — in the user entries once the linking plug-in instance is created. After the linked and managed attributes are set, the Linked Attributes Plug-in maintains the managed attributes dynamically, as users change the link attributes.
dn: cn=example,cn=fixup linked attributes,cn=tasks,cn=config objectclass: extensibleObject cn:example linkdn: cn=Example Link,cn=Linked Attributes,cn=plugins,cn=config
cn=fixup linked attributes entry is a container entry for any linked attribute update operation. The cn=fixup linked attributes entry itself has no attributes related to individual tasks, but each of the task entries beneath this entry, such as cn=task_ID, cn=fixup linked attributes, cn=tasks, cn=config, uses its attributes to define the individual update task.
Each linked-managed attribute pair is configured in a linked attributes plug-in instance. The linkdn attribute sets the specific linked attribute plug-in used to update the entries by giving the plug-in instance DN. For example:
linkdn: cn=Manager Attributes,cn=Linked Attributes,cn=plugins,cn=config
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=fixup linked attributes,cn=tasks,cn=config |
| Valid Values | A DN (for an instance of the Linked Attributes plug-in) |
| Default Value | None |
| Syntax | DN |
| Example | linkdn: cn=Manager Links,cn=Linked Attributes,cn=plugins,cn=config |
3.1.16.10. cn=syntax validate
dn: cn=example,cn=syntax validate,cn=tasks,cn=config objectclass: extensibleObject cn:example basedn: ou=people,dc=example,dc=com filter: "(objectclass=inetorgperson)"
cn=syntax validate entry is a container entry for any syntax validation operation. The cn=syntax validate entry itself has no attributes that are specific to any task. Each of the task entries beneath this entry, such as cn=task_ID, cn=syntax validate, cn=tasks, cn=config, uses its attributes to define the individual update task.
basedn: ou=people,dc=example,dc=com
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=syntax validate,cn=tasks,cn=config |
| Valid Values | Any DN |
| Default Value | None |
| Syntax | DN |
| Example | basedn: dc=example,dc=com |
Contains an optional LDAP filter which can be used to identify specific entries beneath the given basedn against which to run the syntax validation task. If this attribute is not set on the task, then every entry within the basedn is audited. For example:
filter: "(objectclass=person)"
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=syntax validate,cn=tasks,cn=config |
| Valid Values | Any LDAP filter |
| Default Value | "(objectclass=*)" |
| Syntax | DirectoryString |
| Example | filter: "(objectclass=*)" |
3.1.16.11. cn=USN tombstone cleanup task
entryUSN operational attribute. This USN is set even when an entry is deleted, and the tombstone entries are maintained by the Directory Server instance.
cn=USN tombstone cleanup task (and the related usn-tombstone-cleanup.pl script) deletes the tombstone entries maintained by the instance according to the back end database (in the backend attribute) or the suffix (in the suffix attribute). Optionally, only a subset of tombstone entries can be deleted by specifying a maximum USN to delete (in the max_usn_to_delete attribute), which preserves the most recent tombstone entries.
dn: cn=example,cn=USN tombstone cleanup task,cn=tasks,cn=config objectclass: extensibleObject cn:example backend: userroot max_usn_to_delete: 500
Important
ldap_add: DSA is unwilling to perform
[...] usn-plugin - Suffix dc=example,dc=com is replicated. Unwilling to perform cleaning up tombstones.
cn=USN tombstone cleanup task entry is a container entry for all USN tombstone delete operations. The cn=USN tombstone cleanup task entry itself has no attributes related to any individual task, but each of the task entries beneath this entry, such as cn=task_ID, cn=USN tombstone cleanup task, cn=tasks, cn=config, uses its attributes to define the individual update task.
This gives the Directory Server instance back end, or database, to run the cleanup operation against. If the back end is not specified, then the suffix must be specified.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=USN tombstone cleanup task,cn=tasks,cn=config |
| Valid Values | Database name |
| Default Value | None |
| Syntax | DirectoryString |
| Example | backend: userroot |
This gives the highest USN value to delete when removing tombstone entries. All tombstone entries up to and including that number are deleted. Tombstone entries with higher USN values (i.e., more recent entries) are not deleted.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=USN tombstone cleanup task,cn=tasks,cn=config |
| Valid Values | Any integer |
| Default Value | None |
| Syntax | Integer |
| Example | max_usn_to_delete: 500 |
This gives the suffix or subtree in the Directory Server to run the cleanup operation against. If the suffix is not specified, then the back end must be given.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=USN tombstone cleanup task,cn=tasks,cn=config |
| Valid Values | Any subtree DN |
| Default Value | None |
| Syntax | DN |
| Example | suffix: dc=example,dc=com |
3.1.16.12. cn=cleanallruv
[09/Sep/2017:09:03:43 -0600] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not
contain element [{replica 55 ldap://server.example.com:389} 4e6a27ca000000370000 4e6a27e8000000370000]
which is present in RUV [database RUV]
......
[09/Sep/2017:09:03:43 -0600] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: for replica
dc=example,dc=com there were some differences between the changelog max RUV and the database RUV. If
there are obsolete elements in the database RUV, you should remove them using the CLEANRUV task. If they
are not obsolete, you should check their status to see why there are no changes from those servers in the changelog.cn=cleanallruv task propagates through all servers in the replication topology and removes the RUV entries associated with the specified missing or obsolete supplier.
cn=cleanallruv entry is a container entry for all clean RUV operations. The cn=cleanallruv entry itself has no attributes related to any individual task, but each of the task entries beneath this entry, such as cn=task_ID,cn=cleanallruv, cn=tasks,cn=config, uses its attributes to define the individual update task.
dn: cn=clean 55,cn=cleanallruv,cn=tasks,cn=config objectclass: extensibleObject replica-base-dn: dc=example,dc=com replica-id: 55 replica-force-cleaning: no cn: clean 55
This gives the Directory Server base DN associated with the replicated database. This is the base DN for the replicated suffix.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=cleanallruv,cn=tasks,cn=config |
| Valid Values | Directory suffix DN |
| Default Value | None |
| Syntax | DirectoryString |
| Example | replica-base-dn: dc=example,dc=com |
This gives the replica ID (defined in the nsDS5ReplicaId attribute for the replica configuration entry) of the replica to be removed from the replication topology.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=cleanallruv,cn=tasks,cn=config |
| Valid Values | 0 to 65534 |
| Default Value | None |
| Syntax | Integer |
| Example | replica-id: 55 |
This sets whether any outstanding updates from the replica to be removed should be applied (no) or whether the clean RUV operation should force-continue and lose any remaining updates (yes).
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=cleanallruv,cn=tasks,cn=config |
| Valid Values | no | yes |
| Default Value | None |
| Syntax | DirectoryString |
| Example | replica-force-cleaning: no |
3.1.16.13. cn=abort cleanallruv
cn=abort cleanallruv entry.
cn=abort cleanallruv entry is a container entry for all clean RUV operations. The cn=abort cleanallruv entry itself has no attributes related to any individual task, but each of the task entries beneath this entry, such as cn=task_ID,cn=abort cleanallruv, cn=tasks,cn=config, uses its attributes to define the individual update task.
dn: cn=abort 55,cn=abort cleanallruv,cn=tasks,cn=config objectclass: extensibleObject replica-base-dn: dc=example,dc=com replica-id: 55 replica-certify-all: yes cn: abort 55
This gives the Directory Server base DN associated with the replicated database. This is the base DN for the replicated suffix.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=abort cleanallruv,cn=tasks,cn=config |
| Valid Values | Directory suffix DN |
| Default Value | None |
| Syntax | DirectoryString |
| Example | replica-base-dn: dc=example,dc=com |
This gives the replica ID (defined in the nsDS5ReplicaId attribute for the replica configuration entry) of the replica in the process of being removed from the replication topology.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=abort cleanallruv,cn=tasks,cn=config |
| Valid Values | 0 to 65534 |
| Default Value | None |
| Syntax | Integer |
| Example | replica-id: 55 |
This sets whether the task should complete successfully on all servers in the replication topology before completing the task locally (yes) or whether the task should show complete as soon as it completes locally (no).
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=abort cleanallruv,cn=tasks,cn=config |
| Valid Values | no | yes |
| Default Value | None |
| Syntax | DirectoryString |
| Example | replica-certify-all: yes |
3.1.16.14. cn=automember rebuild membership
cn=automember rebuild membership task runs the current automembership rules against existing entries to update or rebuild group membership. All configured automembership rules are run against the identified entries (though not all rules may apply to a given entry).
This gives the Directory Server base DN to use to search for user entries. The entries in the specified DN are then updated according to the automembership rules.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=automember rebuild membership,cn=tasks,cn=config |
| Valid Values | Directory suffix DN |
| Default Value | None |
| Syntax | DirectoryString |
| Example | basedn: dc=example,dc=com |
This attribute gives an LDAP filter to use to identify which user entries to update according to the configured automembership rules.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=automember rebuild membership,cn=tasks,cn=config |
| Valid Values | Any LDAP filter |
| Default Value | None |
| Syntax | DirectoryString |
| Example | filter: (uid=*) |
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=automember rebuild membership,cn=tasks,cn=config |
| Valid Values | sub | base | one |
| Default Value | None |
| Syntax | DirectoryString |
| Example | scope: sub |
3.1.16.15. cn=automember export updates
This gives the Directory Server base DN to use to search for user entries. A test-run of the automembership rules will be run against the identified entries.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=automember export updates,cn=tasks,cn=config |
| Valid Values | Directory suffix DN |
| Default Value | None |
| Syntax | DirectoryString |
| Example | basedn: dc=example,dc=com |
This attribute gives an LDAP filter to use to identify which user entries to test-run the automembership rules.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=automember export updates,cn=tasks,cn=config |
| Valid Values | Any LDAP filter |
| Default Value | None |
| Syntax | DirectoryString |
| Example | filter: (uid=*) |
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=automember export updates,cn=tasks,cn=config |
| Valid Values | sub | base | one |
| Default Value | None |
| Syntax | DirectoryString |
| Example | scope: sub |
This attribute sets the full path and filename of an LDIF file to which to write the proposed changes from the test-run of the automembership rules. This file must be local to the system from which the task is initiated.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=automember export updates,cn=tasks,cn=config |
| Valid Values | Local path and filename |
| Default Value | None |
| Syntax | DirectoryString |
| Example | ldif: /tmp/automember-results.ldif |
3.1.16.16. cn=automember map updates
This attribute sets the full path and filename of an LDIF file from which to import entries to test with the configured automembership rules. These entries are not imported into the directory and the changes are not performed. The entries are loaded and used by the test-run only.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=automember map updates,cn=tasks,cn=config |
| Valid Values | Local path and filename |
| Default Value | None |
| Syntax | DirectoryString |
| Example | ldif_in: /tmp/automember-test-users.ldif |
This attribute sets the full path and filename of an LDIF file to which to write the proposed changes from the test-run of the automembership rules. This file must be local to the system from which the task is initiated.
| Parameter | Description |
|---|---|
| Entry DN | cn=task_name,cn=automember map updates,cn=tasks,cn=config |
| Valid Values | Local path and filename |
| Default Value | None |
| Syntax | DirectoryString |
| Example | ldif_out: /tmp/automember-results.ldif |
3.1.17. cn=uniqueid generator
cn=uniqueid generator,cn=config. The cn=uniqueid generator entry is an instance of the extensibleObject object class.
This attribute saves the state of the unique ID generator across server restarts. This attribute is maintained by the server. Do not edit it.
| Parameter | Description |
|---|---|
| Entry DN | cn=uniqueid generator,cn=config |
| Valid Values | |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsstate: AbId0c3oMIDUntiLCyYNGgAAAAAAAAAA |
3.2. Configuration Object Classes
extensibleObject object class, but some require other object classes. These configuration object classes are listed here.
3.2.1. changeLogEntry (Object Class)
changeLogEntry object class.
top
2.16.840.1.113730.3.2.1
| objectClass | Defines the object classes for the entry. |
| changeNumber | Contains a number assigned arbitrarily to the changelog. |
| changeTime | The time at which a change took place. |
| changeType | The type of change performed on an entry. |
| targetDn | The distinguished name of an entry added, modified or deleted on a supplier server. |
| change | Changes made to the Directory Server. |
| deleteOldRdn | A flag that defines whether the old Relative Distinguished Name (RDN) of the entry should be kept as a distinguished attribute of the entry or should be deleted. |
| newRdn | New RDN of an entry that is the target of a modRDN or modDN operation. |
| newSuperior | Name of the entry that becomes the immediate superior of the existing entry when processing a modDN operation. |
3.2.2. directoryServerFeature (Object Class)
top
2.16.840.1.113730.3.2.40
|
Attribute
|
Definition
|
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| Attribute | Definition |
|---|---|
| cn | Specifies the common name of the entry. |
| multiLineDescription | Gives a text description of the entry. |
| oid | Specifies the OID of the feature. |
3.2.3. nsBackendInstance (Object Class)
top
2.16.840.1.113730.3.2.109
|
Attribute
|
Definition
|
|---|---|
| objectClass |
Defines the object classes for the entry.
|
| cn |
Gives the common name of the entry.
|
3.2.4. nsChangelog4Config (Object Class)
top
2.16.840.1.113730.3.2.82
|
Attribute
|
Definition
|
|---|---|
|
cn (common Name)
|
Gives the common name of the entry.
|
3.2.5. nsDS5Replica (Object Class)
top
2.16.840.1.113730.3.2.108
| objectClass | Defines the object classes for the entry. |
| nsDS5ReplicaId | Specifies the unique ID for suppliers in a replication environment. |
| nsDS5ReplicaRoot | Specifies the suffix DN at the root of a replicated area. |
| cn | Gives the name for the replica. |
| nsDS5Flags | Specifies information that has been previously set in flags. |
| nsDS5ReplicaAutoReferral | Sets whether the server will follow configured referrals for the Directory Server database. |
| nsDS5ReplicaBindDN | Specifies the DN to use when a supplier server binds to a consumer. |
| nsDS5ReplicaChangeCount | Gives the total number of entries in the changelog and whether they have been replicated. |
| nsDS5ReplicaLegacyConsumer | Specifies whether the replica is a legacy consumer. |
| nsDS5ReplicaName | Specifies the unique ID for the replica for internal operations. |
| nsDS5ReplicaPurgeDelay | Specifies the time in seconds before the changelog is purged. |
| nsDS5ReplicaReferral | Specifies the URLs for user-defined referrals. |
| nsDS5ReplicaReleaseTimeout | Specifies a timeout after which a master will release a replica, whether or not it has finished sending its updates. |
| nsDS5ReplicaTombstonePurgeInterval | Specifies the time interval in seconds between purge operation cycles. |
| nsDS5ReplicaType | Defines the type of replica, such as a read-only consumer. |
| nsDS5Task | Launches a replication task, such as dumping the database contents to LDIF; this is used internally by the Directory Server supplier. |
| nsState | Stores information on the clock so that proper change sequence numbers are generated. |
3.2.6. nsDS5ReplicationAgreement (Object Class)
nsDS5ReplicationAgreement object class store the information set in a replication agreement. Information on the attributes for this object class are in chapter 2 of the Directory Server Configuration, Command, and File Reference.
top
2.16.840.1.113730.3.2.103
| objectClass | Defines the object classes for the entry. |
| cn | Used for naming the replication agreement. |
| description | Contains a free text description of the replication agreement. |
| nsDS5BeginReplicaRefresh | Initializes a replica manually. |
| nsds5debugreplicatimeout | Gives an alternate timeout period to use when the replication is run with debug logging. |
| nsDS5ReplicaBindDN | Specifies the DN to use when a supplier server binds to a consumer. |
| nsDS5ReplicaBindMethod | Specifies the method (SSL or simple authentication) to use for binding. |
| nsDS5ReplicaBusyWaitTime | Specifies the amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access. |
| nsDS5ReplicaChangesSentSinceStartup | The number of changes sent to this replica since the server started. |
| nsDS5ReplicaCredentials | Specifies the password for the bind DN. |
| nsDS5ReplicaHost | Specifies the host name for the consumer replica. |
| nsDS5ReplicaLastInitEnd | States when the initialization of the consumer replica ended. |
| nsDS5ReplicaLastInitStart | States when the initialization of the consumer replica started. |
| nsDS5ReplicaLastInitStatus | The status for the initialization of the consumer. |
| nsDS5ReplicaLastUpdateEnd | States when the most recent replication schedule update ended. |
| nsDS5ReplicaLastUpdateStart | States when the most recent replication schedule update started. |
| nsDS5ReplicaLastUpdateStatus | Provides the status for the most recent replication schedule updates. |
| nsDS5ReplicaPort | Specifies the port number for the remote replica. |
| nsDS5ReplicaRoot | Specifies the suffix DN at the root of a replicated area. |
| nsDS5ReplicaSessionPauseTime | Specifies the amount of time in seconds a supplier should wait between update sessions. |
| nsDS5ReplicatedAttributeList | Specifies any attributes that will not be replicated to a consumer server. |
| nsDS5ReplicaTimeout | Specifies the number of seconds outbound LDAP operations will wait for a response from the remote replica before timing out and failing. |
| nsDS5ReplicaTransportInfo | Specifies the type of transport used for transporting data to and from the replica. |
| nsDS5ReplicaUpdateInProgress | States whether a replication schedule update is in progress. |
| nsDS5ReplicaUpdateSchedule | Specifies the replication schedule. |
| nsDS50ruv | Manages the internal state of the replica via the replication update vector. |
| nsruvReplicaLastModified | Contains the most recent time that an entry in the replica was modified and the changelog was updated. |
| nsds5ReplicaStripAttrs | With fractional replication, an update to an excluded attribute still triggers a replication event, but that event is empty. This attribute sets attributes to strip from the replication update. This prevents changes to attributes like internalModifyTimestamp from triggering an empty replication update. |
3.2.7. nsDSWindowsReplicationAgreement (Object Class)
top
2.16.840.1.113730.3.2.503
| objectClass | Defines the object classes for the entry. |
| cn | Gives the name of the synchronization agreement. |
| description | Contains a text description of the synchronization agreement. |
| nsDS5BeginReplicaRefresh | Initiates a manual synchronization. |
| nsds5debugreplicatimeout | Gives an alternate timeout period to use when the synchronization is run with debug logging. |
| nsDS5ReplicaBindDN | Specifies the DN to use when the Directory Server binds to the Windows server. |
| nsDS5ReplicaBindMethod | Specifies the method (SSL or simple authentication) to use for binding. |
| nsDS5ReplicaBusyWaitTime | Specifies the amount of time in seconds the Directory Server should wait after the Windows server sends back a busy response before making another attempt to acquire access. |
| nsDS5ReplicaChangesSentSinceStartup | Shows the number of changes sent since the Directory Server started. |
| nsDS5ReplicaCredentials | Specifies the credentials for the bind DN. |
| nsDS5ReplicaHost | Specifies the host name for the Windows domain controller of the Windows server being synchronized. |
| nsDS5ReplicaLastInitEnd | States when the last total update (resynchronization) of the Windows server ended. |
| nsDS5ReplicaLastInitStart | States when the last total update (resynchronization) of the Windows server started. |
| nsDS5ReplicaLastInitStatus | The status for the total update (resynchronization) of the Windows server. |
| nsDS5ReplicaLastUpdateEnd | States when the most recent update ended. |
| nsDS5ReplicaLastUpdateStart | States when the most recent update started. |
| nsDS5ReplicaLastUpdateStatus | Provides the status for the most recent updates. |
| nsDS5ReplicaPort | Specifies the port number for the Windows server. |
| nsDS5ReplicaRoot | Specifies the root suffix DN of the Directory Server. |
| nsDS5ReplicaSessionPauseTime | Specifies the amount of time in seconds the Directory Server should wait between update sessions. |
| nsDS5ReplicaTimeout | Specifies the number of seconds outbound LDAP operations will wait for a response from the Windows server before timing out and failing. |
| nsDS5ReplicaTransportInfo | Specifies the type of transport used for transporting data to and from the Windows server. |
| nsDS5ReplicaUpdateInProgress | States whether an update is in progress. |
| nsDS5ReplicaUpdateSchedule | Specifies the synchronization schedule. |
| nsDS50ruv | Manages the internal state of the Directory Server sync peer using the replication update vector (RUV). |
| nsds7DirectoryReplicaSubtree | Specifies the Directory Server suffix (root or sub) that is synced. |
| nsds7DirsyncCookie | Contains a cookie set by the sync service that functions as an RUV. |
| nsds7NewWinGroupSyncEnabled | Specifies whether new Windows group accounts are automatically created on the Directory Server. |
| nsds7NewWinUserSyncEnabled | Specifies whether new Windows user accounts are automatically created on the Directory Server. |
| nsds7WindowsDomain | Identifies the Windows domain being synchronized; analogous to nsDS5ReplicaHost in a replication agreement. |
| nsds7WindowsReplicaSubtree | Specifies the Windows server suffix (root or sub) that is synced. |
| nsruvReplicaLastModified | Contains the most recent time that an entry in the Directory Server sync peer was modified and the changelog was updated. |
| winSyncInterval | Sets how frequently, in seconds, the Directory Server polls the Windows server for updates to write over. If this is not set, the default is 300, which is 300 seconds or five (5) minutes. |
| winSyncMoveAction | Sets how the sync plug-in handles corresponding entries that are discovered in Active Directory outside of the synced subtree. The sync process can ignore these entries (none, the default) or it can assume that the entries were moved intentionally to remove them from synchronization, and it can then either delete the corresponding Directory Server entry (delete) or remove the synchronization attributes and no longer sync the entry (unsync). |
3.2.8. nsEncryptionConfig
nsEncryptionConfig object class stores the configuration information for allowed encryption options, such as protocols and cipher suites. This is defined in the Administrative Services.
top
nsEncryptionConfig-oid
| Attribute | Definition |
|---|---|
| objectClass | Defines the object classes for the entry. |
| cn (commonName) | Gives the common name of the device. |
| Attribute | Definition |
|---|---|
| nsSSL2 | Sets whether SSL version 2 is enabled for the server. |
| nsSSL2Ciphers | Contains a list of all ciphers available to be used with SSLv2. |
| nsSSL3 | Sets whether SSL version 3 is enabled for the server. |
| nsSSL3Ciphers | Contains a list of all ciphers available to be used with SSLv3. |
| nsSSL3SessionTimeout | Sets the timeout period for an SSLv3 cipher session. |
| nsSSLClientAuth | Sets how the server handles client authentication. There are three possible values: allow, disallow, or require. |
| nsSSLSessionTimeout | Sets the timeout period for a cipher session. |
| nsSSLSupportedCiphers | Contains a list of all ciphers available to be used with secure connections to the server. |
| nsTLS1 | Sets whether TLS 1.0 and later versions are enabled for the server. |
| nsTLS10 | Sets whether TLS version 1.0 is enabled for the server. |
| nsTLS11 | Sets whether TLS version 1.1 is enabled for the server. |
| nsTLS12 | Sets whether TLS version 1.2 is enabled for the server. |
3.2.9. nsEncryptionModule
nsEncryptionModule object class stores the encryption module information. This is defined in the Administrative Services.
top
nsEncryptionModule-oid
| Attribute | Definition |
|---|---|
| objectClass | Defines the object classes for the entry. |
| cn (commonName) | Gives the common name of the device. |
| Attribute | Definition |
|---|---|
| nsSSLActivation | Sets whether to enable a cipher family. |
| nsSSLPersonalitySSL | Contains the name of the certificate used by the server for SSL. |
| nsSSLToken | Identifies the security token used by the server. |
3.2.10. nsMappingTree (Object Class)
nsMappingTree object class. This object class is defined in Directory Server.
top
2.16.840.1.113730.3.2.110
|
Attribute
|
Definition
|
|---|---|
| objectClass |
Gives the object classes assigned to the entry.
|
| cn |
Gives the common name of the entry.
|
3.2.11. nsSaslMapping (Object Class)
top
2.16.840.1.113730.3.2.317
| objectClass | Defines the object classes for the entry. |
| cn | Gives the name of the SASL mapping entry. |
| nsSaslMapBaseDNTemplate | Contains the search base DN template. |
| nsSaslMapFilterTemplate | Contains the search filter template. |
| nsSaslMapRegexString | Contains a regular expression to match SASL identity strings. |
3.2.12. nsslapdConfig (Object Class)
nsslapdConfig object class defines the configuration object, cn=config, for the Directory Server instance.
top
2.16.840.1.113730.3.2.39
|
Attribute
|
Definition
|
|---|---|
| objectClass |
Gives the object classes assigned to the entry.
|
|
Attribute
|
Definition
|
|---|---|
| cn |
Gives the common name of the entry.
|
3.2.13. passwordPolicy (Object Class)
passwordPolicy object class. This object class is defined in Directory Server.
top
2.16.840.1.113730.3.2.13
|
Attribute
|
Definition
|
|---|---|
| objectClass |
Gives the object classes assigned to the entry.
|
|
Attribute
|
Definition
|
|---|---|
| passwordMaxAge (Password Maximum Age) | Sets the number of seconds after which user passwords expire. |
| passwordExp (Password Expiration) | Identifies whether the user's password expires after an interval given by the passwordMaxAge attribute. |
| passwordMinLength (Password Minimum Length) | Sets the minimum number of characters that must be used in passwords. |
| passwordKeepHistory | Sets whether to keep a password history for a user. |
| passwordInHistory (Number of Passwords to Remember) | Sets the number of passwords the directory stores in the history. |
| passwordChange (Password Change) | Identifies whether or not users is allowed to change their own password. |
| passwordWarning (Send Warning) | Sets the number of seconds before a warning message is sent to users whose password is about to expire. |
| passwordLockout (Account Lockout) | Identifies whether or not users are locked out of the directory after a given number of failed bind attempts. |
| passwordMaxFailure (Maximum Password Failures) | Sets the number of failed bind attempts after which a user will be locked out of the directory. |
| passwordResetDuration | Sets the period of time before the server resets the retry count to zero. |
| passwordUnlock (Unlock Account) | Identifies whether a user is locked out until the password is reset by an administrator or whether the user can log in again after a given lockout duration. The default is to allow a user to log back in after the lockout period. |
| passwordLockoutDuration (Lockout Duration) | Sets the time, in seconds, that users will be locked out of the directory. |
| passwordCheckSyntax (Check Password Syntax) | Identifies whether the password syntax is checked by the server before the password is saved. |
| passwordMustChange (Password Must Change) | Identifies whether or not to change their passwords when they first login to the directory or after the password is reset by the Directory Manager. |
| passwordStorageScheme (Password Storage Scheme) | Sets the type of encryption used to store Directory Server passwords. |
| passwordMinAge (Password Minimum Age) | Sets the number of seconds that must pass before a user can change their password. |
| passwordResetFailureCount (Reset Password Failure Count After) | Sets the time, in seconds, after which the password failure counter will be reset. Each time an invalid password is sent from the user's account, the password failure counter is incremented. |
| passwordGraceLimit (Password Expiration) | Sets the number of grace logins permitted when a user's password is expired. |
| PasswordMinDigits (Password Syntax) | Sets the minimum number of numeric characters (0 through 9) which must be used in the password. |
| passwordMinAlphas (Password Syntax) | Sets the minimum number of alphabetic chracters that must be used in the password. |
| PasswordMinUppers (Password Syntax) | Sets the minimum number of upper case alphabetic characters, A to Z, which must be used in the password. |
| PasswordMinLowers (Password Syntax) | Sets the minimum number of lower case alphabetic characters, a to z, which must be used in the password. |
| PasswordMinSpecials (Password Syntax) | Sets the minimum number of special ASCII characters, such as !@#$., which must be used in the password. |
| passwordMin8Bit (Password Syntax) | Sets the minimum number of 8-bit chracters used in the password. |
| passwordMaxRepeats (Password Syntax) | Sets the maximum number of times that the same character can be used in row. |
| passwordMinCategories (Password Syntax) | Sets the minimum number of categories which must be used in the password. |
| PasswordMinTokenLength (Password Syntax) | Sets the length to check for trivial words. |
3.3. Root DSE Attributes
ldapsearch -D "cn=directory manager" -W -p 389 -h server.example.com -x -s base -b "" "objectclass=*"
3.3.1. dataversion
dataversion: 020090923175302020090923175302
| OID | |
| Syntax | GeneralizedTime |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
3.3.2. defaultNamingContext
| OID | |
| Syntax | DN |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
3.3.3. lastusn
entryUSN operational attribute for the entry.
lastusn attribute. When the USN Plug-in is set to local mode, the lastUSN attribute shows both the database which assigned the USN and the USN:
lastusn;database_name:USN
lastusn;example1: 213 lastusn;example2: 207
lastUSN value shows the latest USN assigned by any database:
lastusn: 420
Note
| Syntax | Integer |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.3.4. namingContexts
| OID | 1.3.6.1.4.1.1466.101.120.5 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2252 |
3.3.5. netscapemdsuffix
cn=ldap://dc=server_name,dc=example,dc=com:389
| OID | 2.16.840.1.113730.3.1.212 |
| Syntax | DN |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
3.3.6. supportedControl
| OID | 1.3.6.1.4.1.1466.101.120.13 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2252 |
3.3.7. supportedExtension
| OID | 1.3.6.1.4.1.1466.101.120.7 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2252 |
3.3.8. supportedFeatures
| OID | 1.3.6.1.4.1.4203.1.3.5 |
| Syntax | OID |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 3674 |
3.3.9. supportedLDAPVersion
| OID | 1.3.6.1.4.1.1466.101.120.15 |
| Syntax | Integer |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2252 |
3.3.10. supportedSASLMechanisms
| OID | 1.3.6.1.4.1.1466.101.120.14 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2252 |
3.3.11. vendorName
| OID | 1.3.6.1.1.4 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 3045 |
3.3.12. vendorVersion
| OID | 1.3.6.1.1.5 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 3045 |
3.4. Legacy Attributes
3.4.1. Legacy Server Attributes
3.4.1.1. LDAPServer (Object Class)
top
2.16.840.1.113730.3.2.35
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn | Specifies the common name of the entry. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| l (localityName) | Gives the city or geographical location of the entry. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the account belongs. |
| seeAlso | Contains a URL to another entry or site with related information. |
| generation | Store the server generation string. |
| changeLogMaximumAge | Specifies changelog maximum age. |
| changeLogMaximumSize | Specifies maximum changelog size. |
3.4.1.2. changeLogMaximumAge
| OID | 2.16.840.1.113730.3.1.200 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.1.3. changeLogMaximumConcurrentWrites
| OID | 2.16.840.1.113730.3.1.205 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.1.4. changeLogMaximumSize
| OID | 2.16.840.1.113730.3.1.201 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.1.5. generation
| OID | 2.16.840.1.113730.3.1.612 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.1.6. nsSynchUniqueAttribute
| OID | 2.16.840.1.113730.3.1.407 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.1.7. nsSynchUserIDFormat
| OID | 2.16.840.1.113730.3.1.406 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2. Legacy Replication Attributes
Warning
3.4.2.1. cirReplicaSource (Object Class)
cirReplicaSource is an object that is used for consumer-initiated replication. This object class is defined by Directory Server.
top
2.16.840.1.113730.3.2.11
|
Attribute
|
Definition
|
|---|---|
| objectClass | Defines the object classes for the entry. |
| cn | Specifies the common name of the supplier server. |
|
Attribute
|
Definition
|
|---|---|
| cirReplicaRoot | Stores the root suffix to be replicated. |
| cirHost | Identifies the host of the supplier. |
| cirPort | Identifies the port of the supplier. |
| cirBindDN | Specifies the bind DN. |
| cirUsePersistentSearch | Specifies a flag whether or not to use the persistent search. |
| cirUseSSL | Specifies a flag whether or not to use SSL. |
| cirBindCredentials | Specifies a password of cirBindDN. |
| cirLastUpdateApplied | Timestamp of the last replica update. |
| cirUpdateSchedule | Schedule when the replica update occurs. |
| cirSyncInterval | Identifies the interval to do synchronization. |
| cirUpdateFailedAt | Stores the timestamp of the last failed update attempt. |
| cirBeginORC | Sets whether the database deletes its contents before beginning replication. |
| replicaNickname | Identifies the name for the replication agreement. |
| replicaEntryFilter | Identifies the entries to be replicated. |
| replicatedAttributeList | Identifies attribute list to be replicated. |
3.4.2.2. cirBeginORC
cirBeginORC attribute sets whether the consumer deletes its database. Its values are either start or stop.
| OID | 2.16.840.1.113730.3.1.90 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.3. cirBindCredentials
| OID | 2.16.840.1.113730.3.1.85 |
| Syntax |
IA5String
|
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.4. cirBindDn
| OID | 2.16.840.1.113730.3.1.82 |
| Syntax |
DN
|
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.5. cirHost
| OID | 2.16.840.1.113730.3.1.80 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.6. cirLastUpdateApplied
| OID | 2.16.840.1.113730.3.1.86 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.7. cirPort
| OID | 2.16.840.1.113730.3.1.81 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.8. cirReplicaRoot
| OID | 2.16.840.1.113730.3.1.79 |
| Syntax |
DN
|
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.9. cirSyncInterval
| OID | 2.16.840.1.113730.3.1.89 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.10. cirUpdateFailedat
| OID | 2.16.840.1.113730.3.1.88 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.11. cirUpdateSchedule
| OID | 2.16.840.1.113730.3.1.87 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.12. cirUsePersistentSearch
| OID | 2.16.840.1.113730.3.1.83 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.13. cirUseSsl
| OID | 2.16.840.1.113730.3.1.84 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.14. LDAPReplica (Object Class)
top
2.16.840.1.113730.3.2.36
|
Attribute
|
Definition
|
|---|---|
| objectClass |
Gives the object classes assigned to the entry.
|
|
cn
| Specifies the common name of the entry. |
|
Attribute
|
Definition
|
|---|---|
|
description
|
Gives a text description of the entry.
|
| localityName |
Gives the city or geographical location of the entry.
|
| ou |
Gives the organizational unit or division to which the account belongs.
|
| seeAlso | Contains a URL to another entry or site with related information. |
|
replicaRoot
| Stores the root suffix to be replicated. |
|
replicaHost
| Stores the replica server's host name. |
|
replicaPort
| Stores the replica server's port number. |
|
replicaBindDn
| Stores the bind DN for the replica server. |
|
replicaCredentials
| Stores a password of replicaBindDn. |
|
replicaBindMethod
| Specifies the bind method. |
|
replicaUseSSL
| Specifies a flag whether or not to use SSL. |
|
replicaUpdateSchedule
| Schedule when the replica update occurs. |
|
replicaUpdateReplayed
| Stores the last replicated change number. |
|
replicaUpdateFailedAt
| Stores the timestamp of the last failed update attempt. |
|
replicaBeginORC
| Sets whether to delete existing databases before beginning replication. |
|
replicaNickname
| Identifies the name for the replication agreement. |
|
replicaEntryFilter
| Identifies the entries to be replicated. |
|
replicatedAttributeList
| Identifies attribute list to be replicated. |
|
replicaCFUpdated
| Stores the status of copiedFrom. |
|
replicaAbandonedChanges
| Contains change numbers which are not replicated. |
|
replicaLastRelevantChange
| Stores the last relevant change. |
3.4.2.15. replicaAbandonedChanges
| OID | 2.16.840.1.113730.3.1.218 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.16. replicaBeginOrc
replicaBeginOrc attribute sets whether the consumer deletes its database. Its values are either start or stop.
| OID | 2.16.840.1.113730.3.1.50 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.17. replicaBindDn
| OID | 2.16.840.1.113730.3.1.58 |
| Syntax |
DN
|
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.18. replicaBindMethod
| OID | 2.16.840.1.113730.3.1.53 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.19. replicaCFUpdated
copiedFrom attribute on an entry.
| OID | 2.16.840.1.113730.3.1.217 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.20. replicaCredentials
| OID | 2.16.840.1.113730.3.1.202 |
| Syntax |
Binary
|
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.21. replicaEntryFilter
| OID | 2.16.840.1.113730.3.1.203 |
| Syntax |
IA5String
|
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.22. replicaHost
| OID | 2.16.840.1.113730.3.1.197 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.23. replicaLastRelevantChange
| OID | 2.16.840.1.113730.3.1.408 |
| Syntax |
Integer
|
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.24. replicaNickName
| OID | 2.16.840.1.113730.3.1.204 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.25. replicaPort
| OID | 2.16.840.1.113730.3.1.48 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.26. replicaRoot
| OID | 2.16.840.1.113730.3.1.57 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.27. replicatedattributelist
| OID | 2.16.840.1.113730.3.1.240 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.28. replicaUpdateFailedAt
| OID | 2.16.840.1.113730.3.1.49 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.29. replicaUpdateReplayed
| OID | 2.16.840.1.113730.3.1.51 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.30. replicaUpdateSchedule
| OID | 2.16.840.1.113730.3.1.52 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
3.4.2.31. replicaUseSSL
| OID | 2.16.840.1.113730.3.1.54 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
Chapter 4. Plug-in Implemented Server Functionality Reference
cn=plugins,cn=config.
dn: cn=Telephone Syntax,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: Telephone Syntax nsslapd-pluginPath: libsyntax-plugin nsslapd-pluginInitfunc: tel_init nsslapd-pluginType: syntax nsslapd-pluginEnabled: on
ldapsearch on the cn=config subtree.
nsSlapdPlugin object class, which in turn inherits from the extensibleObject object class. For plug-in configuration attributes to be taken into account by the server, both of these object classes (in addition to the top object class) must be present in the entry, as shown in the following example:
dn:cn=ACL Plugin,cn=plugins,cn=config objectclass:top objectclass:nsSlapdPlugin objectclass:extensibleObject
4.1. Server Plug-in Functionality Reference
4.1.1. 7-bit Check Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | NS7bitAtt |
| DN of Configuration Entry | cn=7-bit check,cn=plugins,cn=config |
| Description | Checks certain attributes are 7-bit clean |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | List of attributes (uid mail userpassword) followed by "," and then suffixes on which the check is to occur. |
| Dependencies | Database |
| Performance-Related Information | None |
| Further Information | If the Directory Server uses non-ASCII characters, such as Japanese, turn this plug-in off. |
4.1.2. ACL Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | acl |
| DN of Configuration Entry | cn=ACL Plugin,cn=plugins,cn=config |
| Description | ACL access check plug-in |
| Type | accesscontrol |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | Database |
| Performance-Related Information | Access control incurs a minimal performance hit. Leave this plug-in enabled since it is the primary means of access control for the server. |
| Further Information | See the "Managing Access Control" chapter in the Directory Server Administrator's Guide. |
4.1.3. ACL Preoperation Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | acl |
| DN of Configuration Entry | cn=ACL preoperation,cn=plugins,cn=config |
| Description | ACL access check plug-in |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | Database |
| Performance-Related Information | Access control incurs a minimal performance hit. Leave this plug-in enabled since it is the primary means of access control for the server. |
| Further Information | See the "Managing Access Control" chapter in the Directory Server Administrator's Guide. |
4.1.4. Account Policy Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | none |
| DN of Configuration Entry | cn=Account Policy Plugin,cn=plugins,cn=config |
| Description | Defines a policy to lock user accounts after a certain expiration period or inactivity period. |
| Type | object |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | A pointer to a configuration entry which contains the global account policy settings. |
| Dependencies | Database |
| Performance-Related Information | None |
| Further Information | This plug-in configuration points to a configuration entry which is used for server-wide settings on account inactivity and expiration data. Individual (subtree-level or user-level) account policies can be defined as directory entries, as instances of the acctPolicySubentry object class. These configuration entries can then be applied to users or roles through classes of service. |
4.1.5. Account Usability Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | acctusability |
| DN of Configuration Entry | cn=Account Usability Plugin,cn=plugins,cn=config |
| Description | Checks the authentication status, or usability, of an account without actually authenticating as the given user |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Dependencies | Database |
| Performance-Related Information | None |
4.1.6. Attribute Uniqueness Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | NSUniqueAttr |
| DN of Configuration Entry | cn=Attribute Uniqueness,cn=plugins,cn=config |
| Description | Checks that the values of specified attributes are unique each time a modification occurs on an entry. For example, most sites require that a user ID and email address be unique. |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | To check for UID attribute uniqueness in all listed subtrees, enter uid "DN" "DN".... However, to check for UID attribute uniqueness when adding or updating entries with the requiredObjectClass, enter attribute="uid" MarkerObjectclass = "ObjectClassName" and, optionally requiredObjectClass = "ObjectClassName". This starts checking for the required object classes from the parent entry containing the ObjectClass as defined by the MarkerObjectClass attribute. |
| Dependencies | Database |
| Performance-Related Information |
Directory Server provides the UID Uniqueness Plug-in by default. To ensure unique values for other attributes, create instances of the Attribute Uniqueness Plug-in for those attributes. See the "Using the Attribute Uniqueness Plug-in" section in the Directory Server Administrator's Guide for more information about the Attribute Uniqueness Plug-in.
The UID Uniqueness Plug-in is off by default due to operation restrictions that need to be addressed before enabling the plug-in in a multi-master replication environment. Turning the plug-in on may slow down Directory Server performance.
|
| Further Information | See the "Using the Attribute Uniqueness Plug-in" section in the Directory Server Administrator's Guide. |
4.1.7. Auto Membership Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | Auto Membership |
| DN of Configuration Entry | cn=Auto Membership,cn=plugins,cn=config |
| Description | Container entry for automember definitions. Automember definitions search new entries and, if they match defined LDAP search filters and regular expression conditions, add the entry to a specified group automatically. |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | None for the main plug-in entry. The definition entry must specify an LDAP scope, LDAP filter, default group, and member attribute format. The optional regular expression child entry can specify inclusive and exclusive expressions and a different target group. |
| Dependencies | Database |
| Performance-Related Information | None. |
| Further Information | See the "Automatically Adding Entries to Specified Groups" section in the Directory Server Administrator's Guide. |
4.1.8. Binary Syntax Plug-in
Warning
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | bin-syntax |
| DN of Configuration Entry | cn=Binary Syntax,cn=plugins,cn=config |
| Description | Syntax for handling binary data. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information |
4.1.9. Bit String Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | bitstring-syntax |
| DN of Configuration Entry | cn=Bit String Syntax,cn=plugins,cn=config |
| Description | Supports bit string syntax values and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.10. Bitwise Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | bitwise |
| DN of Configuration Entry | cn=Bitwise Plugin,cn=plugins,cn=config |
| Description | Matching rule for performing bitwise operations against the LDAP server |
| Type | matchingrule |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | See the "Finding Directory Entries" chapter in the Administrator's Guide for performing searches using bitwise filters. |
4.1.11. Boolean Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | boolean-syntax |
| DN of Configuration Entry | cn=Boolean Syntax,cn=plugins,cn=config |
| Description | Supports boolean syntax values (TRUE or FALSE) and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.12. Case Exact String Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | ces-syntax |
| DN of Configuration Entry | cn=Case Exact String Syntax,cn=plugins,cn=config |
| Description | Supports case-sensitive matching or Directory String, IA5 String, and related syntaxes. This isn't a case-exact syntax; this plug-in provides case-sensitive matching rules for different string syntaxes. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information |
4.1.13. Case Ignore String Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | directorystring-syntax |
| DN of Configuration Entry | cn=Case Ignore String Syntax,cn=plugins,cn=config |
| Description | Supports case-insensitive matching rules for Directory String, IA5 String, and related syntaxes. This isn't a case-insensitive syntax; this plug-in provides case-sensitive matching rules for different string syntaxes. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information |
4.1.14. Chaining Database Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | chaining database |
| DN of Configuration Entry | cn=Chaining database,cn=plugins,cn=config |
| Description | Enables back end databases to be linked |
| Type | database |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | There are many performance related tuning parameters involved with the chaining database. See the "Maintaining Database Links" section in the Directory Server Administrator's Guide. |
| Further Information | A chaining database is also known as a database link. Database links are described in the "Configuring Directory Databases" chapter in the Directory Server Administrator's Guide. |
4.1.15. Class of Service Plug-in
| Plug-in Parameter | Description | |||
|---|---|---|---|---|
| Plug-in ID | cos | |||
| DN of Configuration Entry | cn=Class of Service,cn=plugins,cn=config | |||
| Description | Allows for sharing of attributes between entries | |||
| Type | object | |||
| Configurable Options | on | off | |||
| Default Setting | on | |||
| Configurable Arguments | None | |||
| Dependencies |
| |||
| Performance-Related Information | Do not modify the configuration of this plug-in. Leave this plug-in running at all times. | |||
| Further Information | See the "Managing Dynamic Attributes" chapter in the Directory Server Administrator's Guide. |
4.1.16. Country String Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | countrystring-syntax |
| DN of Configuration Entry | cn=Country String Syntax,cn=plugins,cn=config |
| Description | Supports country naming syntax values and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.17. Delivery Method Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | delivery-syntax |
| DN of Configuration Entry | cn=Delivery Method Syntax,cn=plugins,cn=config |
| Description | Supports values that are lists of preferred deliver methods and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.18. deref Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | Dereference |
| DN of Configuration Entry | cn=deref,cn=plugins,cn=config |
| Description | For dereference controls in directory searches |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | Database |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | See the "Finding Directory Entries" chapter in the Administrator's Guide for performing searches using dereference controls. |
4.1.19. Distinguished Name Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | dn-syntax |
| DN of Configuration Entry | cn=Distinguished Name Syntax,cn=plugins,cn=config |
| Description | Supports DN value syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.20. Distributed Numeric Assignment Plug-in
| Plug-in Information | Description |
|---|---|
| Plug-in ID | Distributed Numeric Assignment |
| Configuration Entry DN | DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Description | Distributed Numeric Assignment plugin |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | |
| Dependencies | Database |
| Performance-Related Information | None |
| Further Information |
4.1.21. Enhanced Guide Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | enhancedguide-syntax |
| DN of Configuration Entry | cn=Enhanced Guide Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for creating complex criteria, based on attributes and filters, to build searches; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.22. Facsimile Telephone Number Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | facsimile-syntax |
| DN of Configuration Entry | cn=Facsimile Telephone Number Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for fax numbers; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.23. Fax Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | fax-syntax |
| DN of Configuration Entry | cn=Fax Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for storing images of faxed objects; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.24. Generalized Time Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | time-syntax |
| DN of Configuration Entry | cn=Generalized Time Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for dealing with dates, times and time zones; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information |
The Generalized Time String consists of a four digit year, two digit month (for example, 01 for January), two digit day, two digit hour, two digit minute, two digit second, an optional decimal part of a second, and a time zone indication. Red Hat strongly recommends using the Z time zone indication, which indicates Greenwich Mean Time.
See also RFC 4517.
|
4.1.25. Guide Syntax Plug-in
Warning
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | guide-syntax |
| DN of Configuration Entry | cn=Guide Syntax,cn=plugins,cn=config |
| Description | Syntax for creating complex criteria, based on attributes and filters, to build searches |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | This syntax is obsolete. The Enhanced Guide Syntax should be used instead. |
4.1.26. HTTP Client Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | http-client |
| DN of Configuration Entry | cn=HTTP Client,cn=plugins,cn=config |
| Description | HTTP client plug-in |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | Database |
| Performance-Related Information | |
| Further Information |
4.1.27. Integer Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | int-syntax |
| DN of Configuration Entry | cn=Integer Syntax,cn=plugins,cn=config |
| Description | Supports integer syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.28. Internationalization Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | orderingrule |
| DN of Configuration Entry | cn=Internationalization Plugin,cn=plugins,cn=config |
| Description | Enables internationalized strings to be ordered in the directory |
| Type | matchingrule |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | The Internationalization Plug-in has one argument, which must not be modified, which specifies the location of the /etc/dirsrv/config/slapd-collations.conf file. This file stores the collation orders and locales used by the Internationalization Plug-in. |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | See the "Internationalization" appendix and the section on "Searching an Internationalized Directory" in the "Finding Directory Entries" appendix in the Directory Server Administrator's Guide. |
4.1.29. JPEG Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | jpeg-syntax |
| DN of Configuration Entry | cn=JPEG Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for JPEG image data; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.30. ldbm database Plug-in
| Plug-in Parameter | Description | ||
|---|---|---|---|
| Plug-in ID | ldbm-backend | ||
| DN of Configuration Entry | cn=ldbm database,cn=plugins,cn=config | ||
| Description | Implements local databases | ||
| Type | database | ||
| Configurable Options | |||
| Default Setting | on | ||
| Configurable Arguments | None | ||
| Dependencies |
| ||
| Performance-Related Information | See Section 4.4, “Database Plug-in Attributes” for further information on database configuration. | ||
| Further Information | See the "Configuring Directory Databases" chapter in the Directory Server Administrator's Guide. |
4.1.31. Legacy Replication Plug-in
| Plug-in Parameter | Description | |||
|---|---|---|---|---|
| Plug-in ID | replication-legacy | |||
| DN of Configuration Entry | cn=Legacy Replication plug-in,cn=plugins,cn=config | |||
| Description | Enables a current version Directory Server to be a consumer of a 4.x supplier | |||
| Type | object | |||
| Configurable Options | on | off | |||
| Default Setting | off | |||
| Configurable Arguments | None. This plug-in can be disabled if the server is not (and never will be) a consumer of a 4.x server. | |||
| Dependencies |
| |||
| Performance-Related Information | None | |||
| Further Information | See the "Managing Replication" chapter in the Directory Server Administrator's Guide. |
4.1.32. Linked Attributes Plug-in
| Plug-in Parameter | Description | |||
|---|---|---|---|---|
| Plug-in ID | Linked Attributes | |||
| DN of Configuration Entry | cn=Linked Attributes,cn=plugins,cn=config | |||
| Description | Container entry for linked-managed attribute configuration entries. Each configuration entry under the container links one attribute to another, so that when one entry is updated (such as a manager entry), then any entry associated with that entry (such as a custom directReports attribute) are automatically updated with a user-specified corresponding attribute. | |||
| Type | preoperation | |||
| Configurable Options | on | off | |||
| Default Setting | off | |||
| Configurable Arguments | None for the main plug-in entry. Each plug-in instance has three possible attributes:
| |||
| Dependencies | Database | |||
| Performance-Related Information | Any attribute set in linkType must only allow values in a DN format. Any attribute set in managedType must be multi-valued. | |||
| Further Information | See the "Managing Attributes" chapter in the Directory Server Administrator's Guide and Section 4.10, “Linked Attributes Plug-in Attributes”. |
4.1.33. Managed Entries Plug-in
| Plug-in Information | Description | ||||
|---|---|---|---|---|---|
| Plug-in ID | Managed Entries | ||||
| Configuration Entry DN | cn=Managed Entries,cn=plugins,cn=config | ||||
| Description | Container entry for automatically generated directory entries. Each configuration entry defines a target subtree and a template entry. When a matching entry in the target subtree is created, then the plug-in automatically creates a new, related entry based on the template. | ||||
| Type | preoperation | ||||
| Configurable Options | on | off | ||||
| Default Setting | off | ||||
| Configurable Arguments | None for the main plug-in entry. Each plug-in instance has four possible attributes:
| ||||
| Dependencies | Database | ||||
| Performance-Related Information | None | ||||
| Further Information |
4.1.34. MemberOf Plug-in
| Plug-in Information | Description | ||
|---|---|---|---|
| Plug-in ID | memberOf | ||
| Configuration Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config | ||
| Description | Manages the memberOf attribute on user entries, based on the member attributes in the group entry. | ||
| Type | postoperation | ||
| Configurable Options | on | off | ||
| Default Setting | off | ||
| Configurable Arguments |
| ||
| Dependencies | Database | ||
| Performance-Related Information | None | ||
| Further Information |
4.1.35. Multi-master Replication Plug-in
| Plug-in Parameter | Description | |||
|---|---|---|---|---|
| Plug-in ID | replication-multimaster | |||
| DN of Configuration Entry | cn=Multimaster Replication plugin,cn=plugins,cn=config | |||
| Description | Enables replication between two current Directory Servers | |||
| Type | object | |||
| Configurable Options | on | off | |||
| Default Setting | on | |||
| Configurable Arguments | None | |||
| Dependencies |
| |||
| Performance-Related Information | ||||
| Further Information | Turn this plug-in off if one server will never replicate. See the "Managing Replication" chapter in the Directory Server Administrator's Guide. |
4.1.36. Name and Optional UID Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | nameoptuid-syntax |
| DN of Configuration Entry | cn=Name And Optional UID Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules to store and search for a DN with an optional unique ID; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information |
The optional UID is used to distinguish between entries which may have identical DNs or naming attributes.
See also RFC 4517.
|
4.1.37. Numeric String Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | numstr-syntax |
| DN of Configuration Entry | cn=Numeric String Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for strings of numbers and spaces; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.38. Octet String Syntax Plug-in
Note
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | octetstring-syntax |
| DN of Configuration Entry | cn=Octet String Syntax,cn=plugins,cn=config |
| Description | Supports octet string syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.39. OID Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | oid-syntax |
| DN of Configuration Entry | cn=OID Syntax,cn=plugins,cn=config |
| Description | Supports object identifier (OID) syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.40. PAM Pass Through Auth Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | pam_passthruauth |
| DN of Configuration Entry | cn=PAM Pass Through Auth,cn=plugins,cn=config |
| Description | Enables pass-through authentication for PAM, meaning that a PAM service can use the Directory Server as its user authentication store. |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | Database |
| Performance-Related Information | |
| Further Information | See the "Using PAM Pass-through Authentication" section in the Directory Server Administrator's Guide. |
4.1.41. Pass Through Authentication Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | passthruauth |
| DN of Configuration Entry | cn=Pass Through Authentication,cn=plugins,cn=config |
| Description | Enables pass-through authentication, the mechanism which allows one directory to consult another to authenticate bind requests. |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | ldap://example.com:389/o=example |
| Dependencies | Database |
| Performance-Related Information | Pass-through authentication slows down bind requests a little because they have to make an extra hop to the remote server. See the "Using Pass-through Authentication" chapter in the Directory Server Administrator's Guide. |
| Further Information | See the "Using the Pass-through Authentication Plug-in" chapter in the Directory Server Administrator's Guide. |
4.1.42. Password Storage Schemes
cn=Password Storage Schemes entry is a container entry, not a plug-in entry itself. All of the plug-ins used for encryption are stored under this entry. The supported schemes change as new encryption methods are added; to view the complete and current list, list the entries under cn=Password Storage Schemes, cn=plugins,cn=config:
ldapsearch -D "cn=directory manager" -W -p 389 -h server.example.com -x -b "cn=Password Storage Schemes,cn=plugins,cn=config" -s sub (objectclass=*)
cn=Storage Scheme Name Plugin,cn=Password Storage Schemes,cn=plugins,cn=config
Warning
Table 4.1. Password Storage Plugins
| Storage Scheme Name | Usage Notes |
|---|---|
| CLEAR | This encryption method is required for using SASL. |
| CRYPT | This storage scheme is not very secure and is included only for compatibility with legacy servers and to allow migration. |
| DES | This encryption scheme is used only for reversible encryption and is available for certain plug-ins; this is not intended for password storage. |
| MD5 | This storage scheme is not very secure and is included only for compatibility with legacy servers and to allow migration. |
| SMD5 | This storage scheme is more secure than plain MD5 hash, but still less secure than SSHA. This storage scheme is not included for use with new passwords but to help with migrating user accounts from directories which support salted MD5. |
| NS-MTA-MD5 | The NS-MTA-MD5 password storage scheme cannot be used to encrypt passwords. The storage scheme is still present for backward compatibility for any entries stored in the directory with passwords encrypted with the NS-MTA-MD5 password storage scheme. |
| SHA |
If there are no passwords encrypted using the SHA password storage scheme, this plug-in can be turned off.
Instead of encrypting passwords with the SHA password storage scheme, Red Hat recommends choosing SSHA instead because it is more secure.
|
| SHA256 | Use SHA256 or higher to encrypt passwords because these are stronger encryption schemes. |
| SHA384 | This storage scheme is recommended for password storage because of its strength. |
| SHA512 | This storage scheme is recommended for password storage because of its strength. |
| SSHA | This is recommended instead of SHA because it is a stronger encryption screen. However, Red Hat recommends using at least the SSHA256 storage scheme or higher because these are stronger schemes. |
| SSHA256 | Use SSHA256 or higher to encrypt passwords because these are stronger encryption schemes. |
| SSHA384 | This storage scheme is recommended for password storage because of its strength. |
| SSHA512 | This storage scheme is recommended for password storage because of its strength. |
4.1.43. Posix Winsync API Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | posix-winsync-plugin |
| DN of Configuration Entry | cn=Posix Winsync API,cn=plugins,cn=config |
| Description | Enables and configures Windows synchronization for Posix attributes set on Active Directory user and group entries. |
| Type | preoperation |
| Configurable Arguments |
|
| Default Setting | off |
| Configurable Arguments | None |
| Dependencies | database |
4.1.44. Postal Address String Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | postaladdress-syntax |
| DN of Configuration Entry | cn=Postal Address Syntax,cn=plugins,cn=config |
| Description | Supports postal address syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.45. Printable String Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | printablestring-syntax |
| DN of Configuration Entry | cn=Printable String Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and matching rules for alphanumeric and select punctuation strings (for strings which conform to printable strings as defined in RFC 4517). |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.46. Referential Integrity Postoperation Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | referint |
| DN of Configuration Entry | cn=Referential Integrity Postoperation,cn=plugins,cn=config |
| Description | Enables the server to ensure referential integrity |
| Type | postoperation |
| Configurable Options | All configuration and on | off |
| Default Setting | off |
| Configurable Arguments | When enabled, the post-operation Referential Integrity Plug-in performs integrity updates on the member, uniquemember, owner, and seeAlso attributes immediately after a delete or rename operation. The plug-in can be configured to perform integrity checks on all other attributes. For details, see the corresponding section in the Directory Server Administration Guide. |
| Dependencies | Database |
| Performance-Related Information | The Referential Integrity Plug-in should be enabled only on one master in a multi-master replication environment to avoid conflict resolution loops. When enabling the plug-in on chained servers, be sure to analyze the performance resource and time needs as well as integrity needs; integrity checks can be time consuming and demanding on memory and CPU. All attributes specified must be indexed for both presence and equality. |
| Further Information | See the "Managing Indexes" chapter for information about how to index attributes used for referential integrity checking and the "Configuring Directory Databases" chapter in the Directory Server Administrator's Guide. |
4.1.47. Retro Changelog Plug-in
| Plug-in Parameter | Description | ||
|---|---|---|---|
| Plug-in ID | retrocl | ||
| DN of Configuration Entry | cn=Retro Changelog Plugin,cn=plugins,cn=config | ||
| Description | Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. Maintains a log of all changes occurring in the Directory Server. The retro changelog offers the same functionality as the changelog in the 4.x versions of Directory Server. This plug-in exposes the cn=changelog suffix to clients, so that clients can use this suffix with or without persistent search for simple sync applications. | ||
| Type | object | ||
| Configurable Options | on | off | ||
| Default Setting | off | ||
| Configurable Arguments | See Section 4.14, “Retro Changelog Plug-in Attributes” for further information on the two configuration attributes for this plug-in. | ||
| Dependencies |
| ||
| Performance-Related Information | May slow down Directory Server update performance. | ||
| Further Information | See the "Managing Replication" chapter in the Directory Server Administrator's Guide. |
4.1.48. Roles Plug-in
| Plug-in Parameter | Description | |||
|---|---|---|---|---|
| Plug-in ID | roles | |||
| DN of Configuration Entry | cn=Roles Plugin,cn=plugins,cn=config | |||
| Description | Enables the use of roles in the Directory Server | |||
| Type | object | |||
| Configurable Options | on | off | |||
| Default Setting | on | |||
| Configurable Arguments | None | |||
| Dependencies |
| |||
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | |||
| Further Information | See the "Advanced Entry Management" chapter in the Directory Server Administrator's Guide. |
4.1.49. RootDN Access Control Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | rootdn-access-control |
| DN of Configuration Entry | cn=RootDN Access Control,cn=plugins,cn=config |
| Description | Enables and configures access controls to use for the root DN entry. |
| Type | internalpreoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Attributes |
|
| Dependencies | None |
| Further Information | See the "Access Control" sections in the Directory Server Administrator's Guide. |
4.1.50. Schema Reload Plug-in
| Plug-in Information | Description |
|---|---|
| Plug-in ID | schemareload |
| Configuration Entry DN | cn=Schema Reload,cn=plugins,cn=config |
| Description | Task plug-in to reload schema files |
| Type | object |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | |
| Further Information |
4.1.51. Space Insensitive String Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | none |
| DN of Configuration Entry | cn=Space Insensitive String Syntax,cn=plugins,cn=config |
| Description | Syntax for handling space-insensitive values |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information |
This plug-in enables the Directory Server to support space and case insensitive values. This allows applications to search the directory using entries with ASCII space characters.
For example, a search or compare operation that uses
jOHN Doe will match entries that contain johndoe, john doe, and John Doe if the attribute's schema has been configured to use the space insensitive syntax.
For more information about finding directory entries, refer to the "Finding Directory Entries" chapter in the Directory Server Administrator's Guide.
|
4.1.52. State Change Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | statechange |
| DN of Configuration Entry | cn=State Change Plugin,cn=plugins,cn=config |
| Description | Enables state-change-notification service |
| Type | postoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | |
| Further Information |
4.1.53. Syntax Validation Task Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | none |
| DN of Configuration Entry | cn=Syntax Validation Task,cn=plugins,cn=config |
| Description | Enables syntax validation for attribute values |
| Type | object |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | |
| Further Information | This plug-in implements syntax validation tasks. The actual process that carries out syntax validation is performed by each specific syntax plug-in. |
4.1.54. Telephone Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | tele-syntax |
| DN of Configuration Entry | cn=Telephone Syntax,cn=plugins,cn=config |
| Description | Supports telephone number syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.55. Teletex Terminal Identifier Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | teletextermid-syntax |
| DN of Configuration Entry | cn=Teletex Terminal Identifier Syntax,cn=plugins,cn=config |
| Description | Supports international telephone number syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.56. Telex Number Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | telex-syntax |
| DN of Configuration Entry | cn=Telex Number Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for the telex number, country code, and answerback code of a telex terminal; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.57. URI Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | none |
| DN of Configuration Entry | cn=URI Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for unique resource identifiers (URIs), including unique resource locators (URLs); from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.58. USN Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | USN |
| DN of Configuration Entry | cn=USN,cn=plugins,cn=config |
| Description | Sets an update sequence number (USN) on an entry, for every entry in the directory, whenever there is a modification, including adding and deleting entries and modifying attribute values. |
| Type | object |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | None |
| Dependencies | Database |
| Performance-Related Information | For replication, it is recommended that the entryUSN configuration attribute be excluded using fractional replication. |
| Further Information |
4.1.59. Views Plug-in
| Plug-in Parameter | Description | ||
|---|---|---|---|
| Plug-in ID | views | ||
| DN of Configuration Entry | cn=Views,cn=plugins,cn=config | ||
| Description | Enables the use of views in the Directory Server databases. | ||
| Type | object | ||
| Configurable Options | on | off | ||
| Default Setting | on | ||
| Configurable Arguments | None | ||
| Dependencies |
| ||
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | ||
| Further Information |
4.2. List of Attributes Common to All Plug-ins
4.2.1. nsslapdPlugin (Object Class)
nsslapdPlugin object class.
top
2.16.840.1.113730.3.2.41
|
Attribute
|
Definition
|
|---|---|
| objectClass |
Gives the object classes assigned to the entry.
|
| cn |
Gives the common name of the entry.
|
| nsslapd-pluginPath | Identifies the plugin library name (without the library suffix). |
| nsslapd-pluginInitfunc | Identifies an initialization function of the plugin. |
| nsslapd-pluginType | Identifies the type of plugin. |
| nsslapd-pluginId | Identifies the plugin ID. |
| nsslapd-pluginVersion | Identifies the version of plugin. |
| nsslapd-pluginVendor | Identifies the vendor of plugin. |
| nsslapd-pluginDescription | Identifies the description of the plugin. |
| nsslapd-pluginEnabled | Identifies whether or not the plugin is enabled. |
| nsslapd-pluginPrecedence | Sets the priority for the plug-in in the execution order. |
4.2.2. nsslapd-pluginDescription
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=plug-in name,cn=plugins,cn=config |
| Valid Values | |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-pluginDescription: acl access check plug-in |
4.2.3. nsslapd-pluginEnabled
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=plug-in name,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-pluginEnabled: on |
4.2.4. nsslapd-pluginId
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=plug-in name,cn=plugins,cn=config |
| Valid Values | Any valid plug-in ID |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-pluginId: chaining database |
4.2.5. nsslapd-pluginInitfunc
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=plug-in name,cn=plugins,cn=config |
| Valid Values | Any valid plug-in function |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-pluginInitfunc: NS7bitAttr_Init |
4.2.6. nsslapd-pluginPath
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=plug-in name,cn=plugins,cn=config |
| Valid Values | Any valid path |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-pluginPath: uid-plugin |
4.2.7. nsslapd-pluginPrecedence
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=plug-in name,cn=plugins,cn=config |
| Valid Values | 1 to 99 |
| Default Value | 50 |
| Syntax | Integer |
| Example | nsslapd-pluginPrecedence: 3 |
4.2.8. nsslapd-pluginType
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=plug-in name,cn=plugins,cn=config |
| Valid Values | Any valid plug-in type |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-pluginType: preoperation |
4.3. Attributes Allowed by Certain Plug-ins
4.3.1. nsslapd-pluginConfigArea
cn=plugins,cn=config. However, the cn=plugins,cn=config is not replicated, which means that the plug-in configurations beneath those container entries must be configured manually, in some way, on every Directory Server instance.
nsslapd-pluginConfigArea attribute points to another container entry, in the main database area, which contains the plug-in instance entries. This container entry can be in a replicated database, which allows the plug-in configuration to be replicated.
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=plug-in name,cn=plugins,cn=config |
| Valid Values | Any valid DN |
| Default Value | |
| Syntax | DN |
| Example | nsslapd-pluginConfigArea: cn=managed entries container,ou=containers,dc=example,dc=com |
4.3.2. nsslapd-pluginLoadNow
true), as well as all symbols references by those symbols, or to load the symbol the first time it is used (false).
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=plug-in name,cn=plugins,cn=config |
| Valid Values | true | false |
| Default Value | false |
| Syntax | DirectoryString |
| Example | nsslapd-pluginLoadNow: false |
4.3.3. nsslapd-pluginLoadGlobal
false) or to the executable and to all shared objects (true).
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=plug-in name,cn=plugins,cn=config |
| Valid Values | true | false |
| Default Value | false |
| Syntax | DirectoryString |
| Example | nsslapd-pluginLoadGlobal: false |
4.3.4. nsslapd-plugin-depends-on-type
nsslapd-pluginType. See Section 4.2.8, “nsslapd-pluginType” for further information. All plug-ins with a type value which matches one of the values in the following valid range will be started by the server prior to this plug-in. The following postoperation Referential Integrity Plug-in example shows that the database plug-in will be started prior to the postoperation Referential Integrity Plug-in.
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=referential integrity postoperation,cn=plugins,cn=config |
| Valid Values | database |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-plugin-depends-on-type: database |
4.3.5. nsslapd-plugin-depends-on-named
cn value of a plug-in. The plug-in with a cn value matching one of the following values will be started by the server prior to this plug-in. If the plug-in does not exist, the server fails to start. The following postoperation Referential Integrity Plug-in example shows that the Views plug-in is started before Roles. If Views is missing, the server is not going to start.
| Plug-in Parameter | Description | ||
|---|---|---|---|
| Entry DN | cn=referential integrity postoperation,cn=plugins,cn=config | ||
| Valid Values | Class of Service | ||
| Default Value | |||
| Syntax | DirectoryString | ||
| Example |
|
4.4. Database Plug-in Attributes

Figure 4.1. Database Plug-in
cn=ldbm database plug-in node. This section presents the additional attribute information for each of the nodes in bold in the cn=ldbm database,cn=plugins,cn=config information tree.
4.4.1. Database Attributes under cn=config,cn=ldbm database,cn=plugins,cn=config
cn=config,cn=ldbm database,cn=plugins,cn=config tree node.
4.4.1.1. nsslapd-cache-autosize
80, then 80 percent of the remaining free memory would be claimed for the cache. To run other servers on the machine, then set the value lower. Setting the value to 0 turns off the cache autosizing and uses the normal nsslapd-cachememsize and nsslapd-dbcachesize attributes.
Note
nsslapd-cache-autosize attribute and nsslapd-cache-autosize-split attribute are both set to high values, such as 100, then the Directory Server may fail to start and return an error message. To fix this issue, reset the nsslapd-cache-autosize and nsslapd-cache-autosize-split attributes to a more reasonable level. For example:
nsslapd-cache-autosize: 60 nsslapd-cache-autosize-split: 60
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 (turns cache autosizing off) to 100 |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsslapd-cache-autosize: 80 |
4.4.1.2. nsslapd-cache-autosize-split
60 would give the database cache 60 percent of the cache space and split the remaining 40 percent between the back end entry caches. That is, if there were two databases, each of them would receive 20 percent. This attribute only applies when the nsslapd-cache-autosize attribute has a value of 0.
Note
nsslapd-cache-autosize attribute and nsslapd-cache-autosize-split attribute are both set to high values, such as 100, then the Directory Server may fail to start and return error message. To fix this issue, reset the nsslapd-cache-autosize and nsslapd-cache-autosize-split attributes to a more reasonable level. For example:
nsslapd-cache-autosize: 60 nsslapd-cache-autosize-split: 60
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 to 99 |
| Default Value | 50 (This will not necessarily optimize operations.) |
| Syntax | Integer |
| Example | nsslapd-cache-autosize-split: 50 |
4.4.1.3. nsslapd-dbcachesize
.db4 files) and other files. This value is passed to the Berkeley DB API function set_cachesize. If automatic cache resizing is activated, this attribute is overridden when the server replaces these values with its own guessed values at a later stage of the server startup.
LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 500 kilobytes to 4 gigabytes for 32-bit platforms and 500 kilobytes to 2^64-1 for 64-bit platforms |
| Default Value | 10000000 (bytes) |
| Syntax | Integer |
| Example | nsslapd-dbcachesize: 10000000 |
4.4.1.4. nsslapd-db-checkpoint-interval
nsslapd-db-checkpoint-interval attribute is absent from dse.ldif. To change the checkpoint interval, add the attribute to dse.ldif. This attribute can be dynamically modified using ldapmodify. For further information on modifying this attribute, see the "Tuning Directory Server Performance" chapter in the Directory Server Administrator's Guide.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 10 to 300 seconds |
| Default Value | 60 |
| Syntax | Integer |
| Example | nsslapd-db-checkpoint-interval: 120 |
4.4.1.5. nsslapd-db-circular-logging
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-db-circular-logging: on |
4.4.1.6. nsslapd-db-debug
on. This parameter is meant for troubleshooting; enabling the parameter may slow down the Directory Server.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-db-debug: off |
4.4.1.7. nsslapd-db-durable-transactions
nsslapd-db-durable-transactions attribute is absent from dse.ldif. To disable durable transactions, add the attribute to dse.ldif.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-db-durable-transactions: on |
4.4.1.8. nsslapd-db-home-directory
- The disk is heavily used (more than 1 megabyte per second of data transfer).
- There is a long service time (more than 100ms).
- There is mostly write activity.
nsslapd-db-home-directory attribute to specify a subdirectory of a tempfs type filesystem.
nsslapd-db-home-directory attribute must be a subdirectory of a filesystem of type tempfs (such as /tmp). However, Directory Server does not create the subdirectory referenced by this attribute. This directory must be created either manually or by using a script. Failure to create the directory referenced by the nsslapd-db-home-directory attribute will result in Directory Server being unable to start.
nsslapd-db-home-directory attributes must be configured with different directories. Failure to do so will result in the databases for both directories becoming corrupted.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid directory name in a tempfs filesystem, such as /tmp |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-db-home-directory: /tmp/slapd-phonebook |
4.4.1.9. nsslapd-db-idl-divisor
1 makes the block size exactly equal to the page size. The default value of 0 sets the block size to the page size minus an estimated allowance for internal database overhead. For the majority of installations, the default value should not be changed unless there are specific tuning needs.
db2ldif script. Once the modification has been made, reload the databases using the ldif2db script.
Warning
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 to 8 |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsslapd-db-idl-divisor: 2 |
4.4.1.10. nsslapd-db-logbuf-size
nsslapd-db-logbuf-size attribute is only valid if the nsslapd-db-durable-transactions attribute is set to on.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 32K to maximum 32-bit integer (limited to the amount of memory available on the machine) |
| Default Value | 32K |
| Syntax | Integer |
| Example | nsslapd-db-logbuf-size: 32K |
4.4.1.11. nsslapd-db-logdirectory
/var/lib/dirsrv/slapd-instance_name/db. For fault-tolerance and performance reasons, move this log file to another physical disk. The nsslapd-db-logdirectory attribute is absent from dse.ldif. To change the location of the database transaction log, add the attribute to dse.ldif.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid path and directory name |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-db-logdirectory: /logs/txnlog |
4.4.1.12. nsslapd-db-logfile-size
0, a maximum size of 10 megabytes is used. The maximum size is an unsigned 4-byte value.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 to unsigned 4-byte integer |
| Default Value | 10MB |
| Syntax | Integer |
| Example | nsslapd-db-logfile-size: 10 MB |
4.4.1.13. nsslapd-db-page-size
db2ldif script. Once the modification has been made, reload the databases using the ldif2db script.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 512 bytes to 64 kilobytes |
| Default Value | 8KB |
| Syntax | Integer |
| Example | nsslapd-db-page-size: 8KB |
4.4.1.14. nsslapd-db-spin-count
Warning
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 to 2^31-1 |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsslapd-db-spin-count: 0 |
4.4.1.15. nsslapd-db-transaction-batch-val
ldapmodify. For further information on modifying this attribute, refer to the "Tuning Directory Server Performance" chapter in the Directory Server Administrator's Guide.
Warning
0, transaction batching will be turned off, and it will be impossible to make remote modifications to this attribute via LDAP. However, setting this attribute to a value greater than 0 causes the server to delay committing transactions until the number of queued transactions is equal to the attribute value. A value greater than 0 also allows modifications to this attribute remotely via LDAP. A value of 1 for this attribute allows modifications to the attribute setting remotely via LDAP, but results in no batching behavior. A value of 1 at server startup is therefore useful for maintaining normal durability while also allowing transaction batching to be turned on and off remotely when desired. Remember that the value for this attribute may require modifying the nsslapd-db-logbuf-size attribute to ensure sufficient log buffer size for accommodating the batched transactions.
Note
nsslapd-db-transaction-batch-val attribute is only valid if the nsslapd-db-durable-transaction attribute is set to on.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 to 30 |
| Default Value | 0 (or turned off) |
| Syntax | Integer |
| Example | nsslapd-db-transaction-batch-val: 5 |
4.4.1.16. nsslapd-db-trickle-percentage
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 to 100 |
| Default Value | 40 |
| Syntax | Integer |
| Example | nsslapd-db-trickle-percentage: 40 |
4.4.1.17. nsslapd-db-verbose
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-db-verbose: off |
4.4.1.18. nsslapd-dbncache
nsslapd-dbncache is 0 or 1, the cache will be allocated contiguously in memory. If it is greater than 1, the cache will be broken up into ncache, equally sized separate pieces of memory.
nsslapd-dbncache attribute to cn=config,cn=ldbm database,cn=plugins,cn=config between the nsslapd-dbcachesize and nsslapd-db-logdirectory attribute lines.
nsslapd-dbncache value to 3; for an 8 gigabyte system, set it to 2.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | 1 to 4 |
| Default Value | 1 |
| Syntax | Integer |
| Example | nsslapd-dbncache: 1 |
4.4.1.19. nsslapd-directory
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid absolute path to the database instance |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-directory: /var/lib/dirsrv/slapd-instance_name/db |
4.4.1.20. nsslapd-exclude-from-export
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid attribute |
| Default Value | entrydn entryid dncomp parentid numSubordinates entryusn |
| Syntax | DirectoryString |
| Example | nsslapd-exclude-from-export: entrydn entryid dncomp parentid numSubordinates entryusn |
4.4.1.21. nsslapd-idlistscanlimit
LDAP_UNWILLING_TO_PERFORM error message, with additional error information explaining the problem. It is advisable to keep the default value to improve search performance.
nsIDListScanLimit.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 100 to the maximum 32-bit integer value (2147483647) entry IDs |
| Default Value | 4000 |
| Syntax | Integer |
| Example | nsslapd-idlistscanlimit: 4000 |
4.4.1.22. nsslapd-import-cache-autosize
importCache) to be used during the command-line-based import process of LDIF files to the database (the ldif2db operation).
nsslapd-import-cache-autosize attribute enables the import cache to be set automatically to a predetermined size when the import operation is run on the command-line. The attribute can also be used by Directory Server during the task mode import for allocating a specified percentage of free memory for import cache.
nsslapd-import-cache-autosize attribute is enabled and is set to a value of -1. This value autosizes the import cache for the ldif2db operation only, automatically allocating fifty percent (50%) of the free physical memory for the import cache. The percentage value (50%) is hard-coded and cannot be changed.
50 (nsslapd-import-cache-autosize: 50) has the same effect on performance during an ldif2db operation. However, such a setting will have the same effect on performance when the import operation is run as a Directory Server task. The -1 value autosizes the import cache just for the ldif2db operation and not for any, including import, general Directory Server tasks.
Note
-1 setting is to enable the ldif2db operation to benefit from free physical memory but, at the same time, not compete for valuable memory with the entry cache, which is used for general operations of the Directory Server.
nsslapd-import-cache-autosize attribute value to 0 turns off the import cache autosizing feature - that is, no autosizing occurs during either mode of the import operation. Instead, Directory Server uses the nsslapd-import-cachesize attribute for import cache size, with a default value of 20000000.
nsslapd-cache-autosize attribute, which is used for autosizing the entry cache and database cache, is used during the Directory Server operations only and not during the ldif2db command-line operation; the attribute value is the percentage of free physical memory to be allocated for the entry cache and database cache.
nsslapd-cache-autosize and nsslapd-import-cache-autosize, are enabled, ensure that their sum is less than 100.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | -1, 0 (turns import cache autosizing off) to 100 |
| Default Value | -1 (turns import cache autosizing on for ldif2db only and allocates 50% of the free physical memory to import cache) |
| Syntax | Integer |
| Example | nsslapd-import-cache-autosize: -1 |
4.4.1.23. nsslapd-import-cachesize
LDAP_UNWILLING_TO_PERFORM error message, with additional error information explaining the problem.
Note
nsslapd-import-cachesize attribute to 1 gigabyte, then 1 gigabyte is used when loading one database, 2 gigabytes is used when loading two databases, and so on. Ensure there is sufficient physical memory to prevent swapping from occurring, as this would result in performance degradation.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 500 kilobytes to 4 gigabytes for 32-bit platforms and 500 kilobytes to 2^64-1 for 64-bit platforms |
| Default Value | 20000000 |
| Syntax | Integer |
| Example | nsslapd-import-cachesize: 20000000 |
4.4.1.24. nsslapd-lookthroughlimit
nsLookThroughLimit is present in the entry as which a user binds, the default limit will be overridden. Attempting to set a value that is not a number or is too big for a 32-bit signed integer returns an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | -1 to maximum 32-bit integer in entries (where -1 is unlimited) |
| Default Value | 5000 |
| Syntax | Integer |
| Example | nsslapd-lookthroughlimit: 5000 |
4.4.1.25. nsslapd-mode
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any four-digit octal number. However, mode 0600 is recommended. This allows read and write access for the owner of the index files (which is the user as whom the ns-slapd runs) and no access for other users. |
| Default Value | 600 |
| Syntax | Integer |
| Example | nsslapd-mode: 0600 |
4.4.1.26. nsslapd-pagedidlistscanlimit
nsslapd-idlistscanlimit attribute, except that it only applies to searches with the simple paged results control.
nsslapd-idlistscanlimit is used to paged searches as well as non-paged searches.
nsPagedIDListScanLimit.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | -1 to maximum 32-bit integer in entries (where -1 is unlimited) |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsslapd-pagedidlistscanlimit: 5000 |
4.4.1.27. nsslapd-pagedlookthroughlimit
nsslapd-lookthroughlimit attribute, except that it only applies to searches with the simple paged results control.
nsslapd-lookthroughlimit is used to paged searches as well as non-paged searches.
nsPagedLookThroughLimit.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | -1 to maximum 32-bit integer in entries (where -1 is unlimited) |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsslapd-pagedlookthroughlimit: 25000 |
4.4.1.28. nsslapd-rangelookthroughlimit
(modifyTimestamp>=20170101010101Z)
nsslapd-rangelookthroughlimit attribute sets a separate range look-through limit that applies to all users, including Directory Manager.
Note
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | -1 to maximum 32-bit integer in entries (where -1 is unlimited) |
| Default Value | 5000 |
| Syntax | Integer |
| Example | nsslapd-rangelookthroughlimit: 5000 |
4.4.1.29. nsslapd-subtree-rename-switch
entryrdn.db4 index, which associates parent and child entries by an assigned ID rather than their DN. If subtree rename operations are not allowed, then the entryrdn.db4 index is disabled and the entrydn.db4 index is used, which simply uses full DNs, with the implicit parent-child relationships.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | off | on |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-subtree-rename-switch: on |
4.4.2. Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
cn=monitor,cn=ldbm database,cn=plugins,cn=config tree node. For more information on these entries, refer to the "Monitoring Server and Database Activity" chapter in the Directory Server Administrator's Guide.
This attribute shows the percentage of requested pages found in the database cache (hits/tries).
Important
4.4.3. Database Attributes under cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config and cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn=NetscapeRoot and cn=userRoot subtrees contain configuration data for, or the definition of, the databases containing the o=NetscapeRoot and o=userRoot suffixes. The cn=NetscapeRoot subtree contains the configuration data used by the Admin Server for authentication and all actions that cannot be performed through LDAP (such as start/stop), and the cn=userRoot subtree contains all the configuration data for the user-defined database.
cn=userRoot subtree is called userRoot by default. However, this is not hard-coded and, given the fact that there are going to be multiple database instances, this name is changed and defined by the user as and when new databases are added. The cn=userRoot database referenced can be any user database.
cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config and the user database, such as cn=userRoot or cn=database_name,cn=ldbm database,cn=plugins,cn=config subtrees.
4.4.3.1. nsslapd-cachesize
nsslapd-cachememsize attribute, which sets an absolute allocation of RAM for the entry cache size, as described in Section 4.4.3.2, “nsslapd-cachememsize”.
Note
nsslapd-cachememsize attribute also defines the import buffer size. The import buffer size is automatically configured to be 80% of whatever the nsslapd-cachememsize setting is. When importing databases with very large attributes, be sure to reset the nsslapd-cachememsize value to something high enough so that .80*cacheSize is enough to allow the import to proceed.
LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
Note
| Parameter | Description |
|---|---|
| Entry DN | cn=database_name,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 1 to 232-1 on 32-bit systems or 263-1 on 64-bit systems or -1, which means limitless |
| Default Value | -1 |
| Syntax | Integer |
| Example | nsslapd-cachesize: -1 |
4.4.3.2. nsslapd-cachememsize
LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
Note
| Parameter | Description |
|---|---|
| Entry DN | cn=database_name,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 500 kilobytes to 232-1 on 32-bit systems and to 264-1 on 64-bit systems |
| Default Value | 10,485,760 (10 megabytes) |
| Syntax | Integer |
| Example | nsslapd-cachememsize: 10485760 |
4.4.3.3. nsslapd-directory
nsslapd-directory in the global database entry cn=config,cn=ldbm database,cn=plugins,cn=config. The database instance directory is named after the instance name and located in the global database directory, by default. After the database instance has been created, do not modify this path, because any changes risk preventing the server from accessing data.
| Parameter | Description |
|---|---|
| Entry DN | cn=database_name,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid path to the database instance |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-directory: /var/lib/dirsrv/slapd-instance_name/db/userRoot |
4.4.3.4. nsslapd-dncachememsize
LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
Note
| Parameter | Description |
|---|---|
| Entry DN | cn=database_name,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 500 kilobytes to 232-1 on 32-bit systems and to 264-1 on 64-bit systems |
| Default Value | 10,485,760 (10 megabytes) |
| Syntax | Integer |
| Example | nsslapd-dncachememsize: 10485760 |
4.4.3.5. nsslapd-readonly
off, then users have all read, write, and execute permissions allowed by their access permissions.
| Parameter | Description |
|---|---|
| Entry DN | cn=database_name,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-readonly: off |
4.4.3.6. nsslapd-require-index
on, this attribute allows one to refuse unindexed searches. This performance-related attribute avoids saturating the server with erroneous searches.
| Parameter | Description |
|---|---|
| Entry DN | cn=database_name,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-require-index: off |
4.4.3.7. nsslapd-suffix
| Parameter | Description |
|---|---|
| Entry DN | cn=database_name,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid DN |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-suffix: o=NetscapeRoot |
4.4.3.8. vlvBase
Note
userRoot, not configuration databases like o=NetscapeRoot.
| Parameter | Description |
|---|---|
| Entry DN | cn=index_name,cn=userRoot,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid DN |
| Default Value | |
| Syntax | DirectoryString |
| Example | vlvBase: ou=People,dc=example,dc=com |
4.4.3.9. vlvEnabled
Note
userRoot, not configuration databases like o=NetscapeRoot.
| Parameter | Description |
|---|---|
| Entry DN | cn=index_name,cn=userRoot,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | 0 (disabled) | 1 (enabled) |
| Default Value | 1 |
| Syntax | DirectoryString |
| Example | vlvEnbled: 0 |
4.4.3.10. vlvFilter
vlvFilter attribute.
Note
userRoot, not configuration databases like o=NetscapeRoot.
| Parameter | Description |
|---|---|
| Entry DN | cn=index_name,cn=userRoot,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid LDAP filter |
| Default Value | |
| Syntax | DirectoryString |
| Example | vlvFilter: (|(objectclass=*)(objectclass=ldapsubentry)) |
4.4.3.11. vlvIndex (Object Class)
vlvIndex object class defines the index entry.
top
2.16.840.1.113730.3.2.42
|
Attribute
|
Definition
|
|---|---|
| objectClass |
Defines the object classes for the entry.
|
| cn |
Gives the common name of the entry.
|
| vlvSort | Identifies the attribute list that the browsing index (virtual list view index) is sorted on. |
|
Attribute
|
Definition
|
|---|---|
| vlvEnabled | Stores the availability of the browsing index. |
| vlvUses | Contains the count the browsing index is used. |
4.4.3.12. vlvScope
Note
userRoot, not configuration databases like o=NetscapeRoot.
| Parameter | Description | ||
|---|---|---|---|
| Entry DN | cn=index_name,cn=userRoot,cn=ldbm database,cn=plugins,cn=config | ||
| Valid Values |
| ||
| Default Value | |||
| Syntax | Integer | ||
| Example | vlvScope: 2 |
4.4.3.13. vlvSearch (Object Class)
vlvSearch object class defines the search filter entry.
top
2.16.840.1.113730.3.2.38
|
Attribute
|
Definition
|
|---|---|
|
multiLineDescription
|
Gives a text description of the entry.
|
4.4.3.14. vlvSort
Note
vlvIndex entry beneath the vlvSearch entry.
Note
userRoot, not configuration databases like o=NetscapeRoot.
| Parameter | Description |
|---|---|
| Entry DN | cn=index_name,cn=index_name,cn=userRoot,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any Directory Server attributes, in a space-separated list |
| Default Value | |
| Syntax | DirectoryString |
| Example | vlvSort: cn givenName o ou sn |
4.4.3.15. vlvUses
Note
userRoot, not configuration databases like o=NetscapeRoot.
| Parameter | Description |
|---|---|
| Entry DN | cn=index_name,cn=userRoot,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | N/A |
| Default Value | |
| Syntax | DirectoryString |
| Example | vlvUses: 800 |
4.4.4. Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
nsslapd-counters attribute in cn=config is set to on, then some of the counters kept by the Directory Server instance increment using 64-bit integers, even on 32-bit machines or with a 32-bit version of Directory Server. For database monitoring, the entrycachehits and entrycachetries counters use 64-bit integers.
Note
nsslapd-counters attribute enables 64-bit support for these specific database and server counters. The counters which use 64-bit integers are not configurable; the 64-bit integers are either enabled for all the allowed counters or disabled for all allowed counters.
Current value of the nsslapd-ndn-cache-max-size parameter. For details how to update this setting, see Section 3.1.1.100, “nsslapd-ndn-cache-max-size”.
4.4.5. Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
entrycachehits and entrycachetries.
nsslapd-counters attribute in cn=config is set to on, then some of the counters kept by the Directory Server instance increment using 64-bit integers, even on 32-bit machines or with a 32-bit version of Directory Server. For the database monitoring, the entrycachehits and entrycachetries counters use 64-bit integers.
Note
nsslapd-counters attribute enables 64-bit support for these specific database and server counters. The counters which use 64-bit integers are not configurable; the 64-bit integers are either enabled for all the allowed counters or disabled for all allowed counters.
This attribute shows the number of times that a thread of control was forced to wait before obtaining the region lock.
This attribute shows the total number of hash elements traversed during hash table lookups.
This attribute shows the total number of locks not immediately available due to conflicts.
This attribute shows the number of times that a thread of control was forced to wait before obtaining the region lock.
This attribute shows the number of bytes written to this log since the last checkpoint.
This attribute shows the number of times that a thread of control was forced to wait before obtaining the region lock.
This attribute shows the number of megabytes and bytes written to this log.
This attribute shows the longest chain ever encountered in buffer hash table lookups.
This attribute shows the clean pages forced from the cache.
This attribute shows the dirty pages written using the memp_trickle interface.
This attribute shows the number of times that a thread of control was force to wait before obtaining the region lock.
4.4.6. Database Attributes under cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
4.4.6.1. cn
| Parameter | Description |
|---|---|
| Entry DN | cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid index cn |
| Default Value | None |
| Syntax | DirectoryString |
| Example | cn: aci |
4.4.6.2. nsIndex
top
2.16.840.1.113730.3.2.44
|
Attribute
|
Definition
|
|---|---|
| objectClass |
Defines the object classes for the entry.
|
| cn |
Gives the common name of the entry.
|
| nsSystemIndex |
Identify whether or not the index is a system defined index.
|
|
Attribute
|
Definition
|
|---|---|
|
description
|
Gives a text description of the entry.
|
| nsIndexType |
Identifies the index type.
|
| nsMatchingRule |
Identifies the matching rule.
|
4.4.6.3. nsIndexType
| Parameter | Description |
|---|---|
| Entry DN | cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values |
|
| Default Value | |
| Syntax | DirectoryString |
| Example | nsIndexType: eq |
4.4.6.4. nsMatchingRule
uidNumber and gidNumber are two commonly used attributes that fall into this category.
uidNumber that uses integer syntax, the rule attribute could be nsMatchingRule: integerOrderingMatch.
Note
db2index, which is described in more detail in the "Managing Indexes" chapter of the Directory Server Administrator's Guide).
| Parameter | Description |
|---|---|
| Entry DN | cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid collation order object identifier (OID) |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsMatchingRule: 2.16.840.1.113730.3.3.2.3.1 (For Bulgarian) |
4.4.6.5. nsSystemIndex
true, then it is system-essential. System indexes should not be removed, as this will seriously disrupt server functionality.
| Parameter | Description |
|---|---|
| Entry DN | cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | true | false |
| Default Value | |
| Syntax | DirectoryString |
| Example | nssystemindex: true |
4.4.7. Database Attributes under cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
NetscapeRoot database. The attributes containing database statistics are given for each file that makes up the database. For further information, see the "Monitoring Server and Database Activity" chapter in the Directory Server Administrator's Guide.
This attribute gives the name of the file and provides a sequential integer identifier (starting at 0) for the file. All associated statistics for the file are given this same numerical identifier.
This attribute gives the number of times that a search requiring data from this file was performed and that the data were successfully obtained from the cache.
4.4.8. Database Attributes under cn=index,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config and cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=config
cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config, custom indexes can be created for o=NetscapeRoot, o=UserRoot, and user-defined back end instances; these are stored under cn=index, cn=database_name, cn=ldbm database,cn=plugins,cn=config. Each indexed attribute represents a subentry under the cn=config information tree nodes, as shown in the following diagram:

Figure 4.2. Indexed Attribute Representing a Subentry
aci attribute under o=UserRoot appears in the Directory Server as follows:
dn:cn=aci,cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=config objectclass:top objectclass:nsIndex cn:aci nsSystemIndex:true nsIndexType:pres
4.4.8.1. nsIndexIDListScanLimit
| Parameter | Description |
|---|---|
| Entry DN | cn=attribute_name,cn=index,cn=database_name,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | See the corresponding section in the Directory Server Performance Tuning Guide. |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsIndexIDListScanLimit: limit=0 type=eq values=inetorgperson |
4.4.8.2. nsSubStrBegin
abc would be an indexed search while ab* would not be. Indexed searches are significantly faster than unindexed searches, so changing the minimum length of the search key is helpful to increase the number of indexed searches.
nsSubStrBegin attribute sets the required number of characters for an indexed search for the beginning of a search string, before the wildcard. For example:
abc*
db2index.
| Parameter | Description |
|---|---|
| Entry DN | cn=attribute_name,cn=index,cn=database_name,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any integer |
| Default Value | 3 |
| Syntax | Integer |
| Example | nsSubStrBegin: 2 |
4.4.8.3. nsSubStrEnd
abc would be an indexed search while ab* would not be. Indexed searches are significantly faster than unindexed searches, so changing the minimum length of the search key is helpful to increase the number of indexed searches.
nsSubStrEnd attribute sets the required number of characters for an indexed search for the end of a search string, after the wildcard. For example:
*xyz
db2index.
| Parameter | Description |
|---|---|
| Entry DN | cn=attribute_name,cn=index,cn=database_name,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any integer |
| Default Value | 3 |
| Syntax | Integer |
| Example | nsSubStrEnd: 2 |
4.4.8.4. nsSubStrMiddle
abc would be an indexed search while ab* would not be. Indexed searches are significantly faster than unindexed searches, so changing the minimum length of the search key is helpful to increase the number of indexed searches.
nsSubStrMiddle attribute sets the required number of characters for an indexed search where a wildcard is used in the middle of a search string. For example:
ab*z
db2index.
| Parameter | Description |
|---|---|
| Entry DN | cn=attribute_name,cn=index,cn=database_name,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any integer |
| Default Value | 3 |
| Syntax | Integer |
| Example | nsSubStrMiddle: 3 |
4.4.9. Database Attributes under cn=attributeName,cn=encrypted attributes,cn=database_name,cn=ldbm database,cn=plugins,cn=config
nsAttributeEncryption object class allows selective encryption of attributes within a database. Extremely sensitive information such as credit card numbers and government identification numbers may not be protected enough by routine access control measures. Normally, these attribute values are stored in CLEAR within the database; encrypting them while they are stored adds another layer of protection. This object class has one attribute, nsEncryptionAlgorithm, which sets the encryption cipher used per attribute. Each encrypted attribute represents a subentry under the above cn=config information tree nodes, as shown in the following diagram:

Figure 4.3. Encrypted Attributes under the cn=config Node
userPassword attribute under o=UserRoot appears in the Directory Server as follows:
dn:cn=userPassword,cn=encrypted attributes,o=UserRoot,cn=ldbm database, cn=plugins,cn=config objectclass:top objectclass:nsAttributeEncryption cn:userPassword nsEncryptionAlgorithm:AES
4.4.9.1. nsAttributeEncryption (Object Class)
top
2.16.840.1.113730.3.2.316
| objectClass | Defines the object classes for the entry. |
| cn | Specifies the attribute being encrypted using its common name. |
| nsEncryptionAlgorithm | The encryption cipher used. |
4.4.9.2. nsEncryptionAlgorithm
nsEncryptionAlgorithm selects the cipher used by nsAttributeEncryption. The algorithm can be set per encrypted attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=attributeName,cn=encrypted attributes,cn=databaseName,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | The following are supported ciphers:
|
| Default Value | |
| Syntax | DirectoryString |
| Example | nsEncryptionAlgorithm: AES |
4.5. Database Link Plug-in Attributes (Chaining Attributes)

Figure 4.4. Database Link Plug-in
cn=chaining database plug-in node. This section presents the additional attribute information for the three nodes marked in bold in the cn=chaining database,cn=plugins,cn=config information tree in Figure 4.4, “Database Link Plug-in”.
4.5.1. Database Link Attributes under cn=config,cn=chaining database,cn=plugins,cn=config
cn=config,cn=chaining database,cn=plugins,cn=config tree node.
4.5.1.1. nsActiveChainingComponents
None. This attribute also allows the components used to chain to be altered. By default, no components are allowed to chain, which explains why this attribute will probably not appear in a list of cn=config,cn=chaining database,cn=config attributes, as LDAP considers empty attributes to be non-existent.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=chaining database,cn=plugins,cn=config |
| Valid Values | Any valid component entry |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsActiveChainingComponents: cn=uid uniqueness,cn=plugins,cn=config |
4.5.1.2. nsMaxResponseDelay
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=chaining database,cn=plugins,cn=config |
| Valid Values | Any valid delay period in seconds |
| Default Value | 60 seconds |
| Syntax | Integer |
| Example | nsMaxResponseDelay: 60 |
4.5.1.3. nsMaxTestResponseDelay
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=chaining database,cn=plugins,cn=config |
| Valid Values | Any valid delay period in seconds |
| Default Value | 15 seconds |
| Syntax | Integer |
| Example | nsMaxTestResponseDelay: 15 |
4.5.1.4. nsTransmittedControls
cn=database link instance, cn=chaining database,cn=plugins,cn=config) configuration attribute, allows the controls the database link forwards to be altered. The following controls are forwarded by default by the database link:
- Managed DSA (OID: 2.16.840.1.113730.3.4.2)
- Virtual list view (VLV) (OID: 2.16.840.1.113730.3.4.9)
- Server side sorting (OID: 1.2.840.113556.1.4.473)
- Loop detection (OID: 1.3.6.1.4.1.1466.29539.12)
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=chaining database,cn=plugins,cn=config |
| Valid Values | Any valid OID or the above listed controls forwarded by the database link |
| Default Value | None |
| Syntax | Integer |
| Example | nsTransmittedControls: 1.2.840.113556.1.4.473 |
4.5.2. Database Link Attributes under cn=default instance config,cn=chaining database,cn=plugins,cn=config
cn=default instance config,cn=chaining database,cn=plugins,cn=config tree node.
4.5.2.1. nsAbandonedSearchCheckInterval
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | 0 to maximum 32-bit integer (2147483647) seconds |
| Default Value | 1 |
| Syntax | Integer |
| Example | nsAbandonedSearchCheckInterval: 10 |
4.5.2.2. nsBindConnectionsLimit
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | 1 to 50 connections |
| Default Value | 3 |
| Syntax | Integer |
| Example | nsBindConnectionsLimit: 3 |
4.5.2.3. nsBindRetryLimit
1 here indicates that the database link only attempts to bind once.
Note
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | 0 to 5 |
| Default Value | 3 |
| Syntax | Integer |
| Example | nsBindRetryLimit: 3 |
4.5.2.4. nsBindTimeout
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | 0 to 60 seconds |
| Default Value | 15 |
| Syntax | Integer |
| Example | nsBindTimeout: 15 |
4.5.2.5. nsCheckLocalACI
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsCheckLocalACI: on |
4.5.2.6. nsConcurrentBindLimit
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | 1 to 25 binds |
| Default Value | 10 |
| Syntax | Integer |
| Example | nsConcurrentBindLimit: 10 |
4.5.2.7. nsConcurrentOperationsLimit
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | 1 to 50 operations |
| Default Value | 2 |
| Syntax | Integer |
| Example | nsConcurrentOperationsLimit: 5 |
4.5.2.8. nsConnectionLife
0 and a list of failover servers is provided in the nsFarmServerURL attribute, the main server is never contacted after failover to the alternate server.
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | 0 to limitless seconds (where 0 means forever) |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsConnectionLife: 0 |
4.5.2.9. nsOperationConnectionsLimit
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | 1 to n connections |
| Default Value | 20 |
| Syntax | Integer |
| Example | nsOperationConnectionsLimit: 10 |
4.5.2.10. nsProxiedAuthorization
nsMultiplexorBindDn attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsProxiedAuthorization: on |
4.5.2.11. nsReferralOnScopedSearch
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsReferralOnScopedSearch: off |
4.5.2.12. nsSizeLimit
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | -1 (no limit) to maximum 32-bit integer (2147483647) entries |
| Default Value | 2000 |
| Syntax | Integer |
| Example | nsSizeLimit: 2000 |
4.5.2.13. nsTimeLimit
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | -1 to maximum 32-bit integer (2147483647) seconds |
| Default Value | 3600 |
| Syntax | Integer |
| Example | nsTimeLimit: 3600 |
4.5.3. Database Link Attributes under cn=database_link_name,cn=chaining database,cn=plugins,cn=config
4.5.3.1. nsBindMechanism
- empty. This performs simple authentication and requires the
nsMultiplexorBindDnandnsMultiplexorCredentialsattributes to give the bind information. - EXTERNAL. This uses an SSL certificate to authenticate the farm server to the remote server. Either the farm server URL must be set to the secure URL (
ldaps) or thensUseStartTLSattribute must be set toon.Additionally, the remote server must be configured to map the farm server's certificate to its bind identity. Certificate mapping is described in the Administrator's Guide. - DIGEST-MD5. This uses SASL with DIGEST-MD5 encryption. As with simple authentication, this requires the
nsMultiplexorBindDnandnsMultiplexorCredentialsattributes to give the bind information. - GSSAPI. This uses Kerberos-based authentication over SASL. The farm server must be connected over the standard port, meaning the URL has
ldap, because the Directory Server does not support SASL/GS-API over SSL.The farm server must be configured with a Kerberos keytab, and the remote server must have a defined SASL mapping for the farm server's bind identity. Setting up Kerberos keytabs and SASL mappings is described in the Administrator's Guide.
| Parameter | Description | ||||
|---|---|---|---|---|---|
| Entry DN | cn=database_link_name,cn=chaining database,cn=plugins,cn=config | ||||
| Valid Values |
| ||||
| Default Value | empty | ||||
| Syntax | DirectoryString | ||||
| Example | nsBindMechanism: GSSAPI |
4.5.3.2. nsFarmServerURL
| Parameter | Description |
|---|---|
| Entry DN | cn=database_link_name,cn=chaining database,cn=plugins,cn=config |
| Valid Values | Any valid remote server LDAP URL |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsFarmServerURL: ldap://farm1.example.com farm2.example.com:389 farm3.example.com:1389/ |
4.5.3.3. nsMultiplexorBindDN
anonymous.
| Parameter | Description |
|---|---|
| Entry DN | cn=database_link_name,cn=chaining database,cn=plugins,cn=config |
| Valid Values | |
| Default Value | DN of the multiplexor |
| Syntax | DirectoryString |
| Example | nsMultiplexerBindDN: cn=proxy manager |
4.5.3.4. nsMultiplexorCredentials
anonymous. The password is encrypted in the configuration file. The example below is what is shown, not what is typed.
| Parameter | Description |
|---|---|
| Entry DN | cn=database_link_name,cn=chaining database,cn=plugins,cn=config |
| Valid Values | Any valid password, which will then be encrypted using the DES reversible password encryption schema |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsMultiplexerCredentials: {DES} 9Eko69APCJfF |
4.5.3.5. nshoplimit
| Parameter | Description |
|---|---|
| Entry DN | cn=database_link_name,cn=chaining database,cn=plugins,cn=config |
| Valid Range | 1 to an appropriate upper limit for the deployment |
| Default Value | 10 |
| Syntax | Integer |
| Example | nsHopLimit: 3 |
4.5.3.6. nsUseStartTLS
nsBindMechanism attribute is set to EXTERNAL but the farm server URL set to the standard URL (ldap) or if the nsBindMechanism attribute is left empty.
| Parameter | Description |
|---|---|
| Entry DN | cn=database_link_name,cn=chaining database,cn=plugins,cn=config |
| Valid Values | off | on |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsUseStartTLS: on |
4.5.4. Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config information tree.
4.6. PAM Pass Through Auth Plug-in Attributes
60pam-plugin.ldif schema file) are available to a child entry; the child entry must be an instance of the PAM configuration object class.
Example 4.1. Example PAM Pass Through Auth Configuration Entries
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject objectClass: pamConfig cn: PAM Pass Through Auth nsslapd-pluginPath: libpam-passthru-plugin nsslapd-pluginInitfunc: pam_passthruauth_init nsslapd-pluginType: preoperationnsslapd-pluginEnabled: onnsslapd-pluginLoadGlobal: true nsslapd-plugin-depends-on-type: database nsslapd-pluginId: pam_passthruauth nsslapd-pluginVersion: 9.0.0 nsslapd-pluginVendor: Red Hat nsslapd-pluginDescription: PAM pass through authentication plugin dn: cn=Example PAM Config,cn=PAM Pass Through Auth,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject objectClass: pamConfig cn: Example PAM Config pamMissingSuffix: ALLOWpamExcludeSuffix: cn=configpamExcludeSuffix: o=NetscapeRootpamIDMapMethod: RDN ou=people,dc=example,dc=compamIDMapMethod: ENTRY ou=engineering,dc=example,dc=compamIDAttr: customPamUidpamFilter: (manager=uid=bjensen,ou=people,dc=example,dc=com)pamFallback: FALSEpamSecure: TRUEpamService: ldapserver
pamIDMapMethod: RDN pamSecure: FALSE pamService: ldapserver
4.6.1. pamConfig (Object Class)
top
2.16.840.1.113730.3.2.318
|
Attribute
|
Definition
|
|---|---|
| pamExcludeSuffix | Identifies suffixes to exclude from PAM authentication. |
| pamExcludeSuffix | Identifies suffixes to include for PAM authentication. |
| pamMissingSuffix | Identifies how to handle missing include or exclude suffixes. |
| pamFilter | Sets an LDAP filter to specify entries within the included suffixes to which the PAM pass-through authentication is enabled. |
| pamIDAttr | Identifies the name of the attribute holding the PAM ID. |
| pamIDMapMethod | Identifies how to map the LDAP bind DN to a PAM identity. |
| pamFallback | Identifies whether to fallback to regular LDAP authentication if PAM authentication fails. |
| pamSecure | Identifies whether to require secure (TLS/SSL) connection for PAM authentication. |
| pamService | Identifies service names to pass to PAM. This assumes that the service specified has a configuration file in /etc/pam.d.
Important
The pam_fprintd.so module cannot be in the configuration file referenced by the pamService attribute of the PAM Pass-Through Authentication Plug-in configuration. Using the PAM fprintd module causes the Directory Server to hit the max file descriptor limit and can cause the Directory Server process to abort.
|
| nsslapd-pluginConfigArea | Specifies a different container entry for the plug-in to use to find child entries.
If a different container entry is used, then all PAM pass-through authentication child entries must be located beneath that container entry.
All child entries in the specified location must belong to the
pamConfig object class, but neither the container entry nor the PAM Pass-Through Auth Plug-in entry must belong to the pamConfig object class in that case.
|
4.6.2. pamExcludeSuffix
| OID | 2.16.840.1.113730.3.1.2068 |
| Syntax |
DN
|
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
4.6.3. pamFallback
| OID | 2.16.840.1.113730.3.1.2072 |
| Syntax |
Boolean
|
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
4.6.4. pamFilter
| OID | 2.16.840.1.113730.3.1.2131 |
| Syntax |
Boolean
|
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
4.6.5. pamIDAttr
| OID | 2.16.840.1.113730.3.1.2071 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
4.6.6. pamIDMapMethod
| OID | 2.16.840.1.113730.3.1.2070 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
4.6.7. pamIncludeSuffix
| OID | 2.16.840.1.113730.3.1.2067 |
| Syntax |
DN
|
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
4.6.8. pamMissingSuffix
| OID | 2.16.840.1.113730.3.1.2069 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
4.6.9. pamSecure
| OID | 2.16.840.1.113730.3.1.2073 |
| Syntax |
Boolean
|
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
4.6.10. pamService
/etc/pam.d.
Important
pam_fprintd.so module cannot be in the configuration file referenced by the pamService attribute of the PAM Pass-Through Authentication Plug-in configuration. Using the PAM fprintd module causes the Directory Server to hit the max file descriptor limit and can cause the Directory Server process to abort.
| OID | 2.16.840.1.113730.3.1.2074 |
| Syntax | IA5String |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
4.7. Account Policy Plug-in Attributes
dn: cn=Account Policy Plugin,cn=plugins,cn=config ... nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: config ... attributes for evaluating accounts ... alwaysRecordLogin: yes stateattrname: lastLoginTime altstateattrname: createTimestamp ... attributes for account policy entries ... specattrname: acctPolicySubentry limitattrname: accountInactivityLimit
Example 4.2. Account Policy Definition
dn: cn=AccountPolicy,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectClass: extensibleObject objectClass: accountpolicy # 86400 seconds per day * 30 days = 2592000 seconds accountInactivityLimit: 2592000 cn: AccountPolicy
Example 4.3. User Account with Account Policy
dn: uid=scarter,ou=people,dc=example,dc=com ... lastLoginTime: 20060527001051Z acctPolicySubentry: cn=AccountPolicy,dc=example,dc=com
4.7.1. altstateattrname
lastLoginTime. However, there may be instances where that attribute does not exist on an entry, such as a user who never logged into his account. The altstateattrname attribute provides a backup attribute for the server to reference to evaluate the expiration time.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=Account Policy Plugin,cn=plugins,cn=config |
| Valid Range | Any time-based entry attribute |
| Default Value | None |
| Syntax | DirectoryString |
| Example | altstateattrname: createTimeStamp |
4.7.2. alwaysRecordLogin
acctPolicySubentry attribute — have their login times tracked. If account policies are applied through classes of service or roles, then the acctPolicySubentry attribute is on the template or container entry, not the user entries themselves.
alwaysRecordLogin attribute sets that every entry records its last login time. This allows CoS and roles to be used to apply account policies.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=Account Policy Plugin,cn=plugins,cn=config |
| Valid Range | yes | no |
| Default Value | no |
| Syntax | DirectoryString |
| Example | alwaysRecordLogin: no |
4.7.3. limitattrname
limitattrname attribute in the Account Policy Plug-in, and it is applied globally to all account policies.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=Account Policy Plugin,cn=plugins,cn=config |
| Valid Range | Any time-based entry attribute |
| Default Value | None |
| Syntax | DirectoryString |
| Example | limitattrname: accountInactivityLimit |
4.7.4. specattrname
specattrname; its will usually be set to acctPolicySubentry.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=Account Policy Plugin,cn=plugins,cn=config |
| Valid Range | Any time-based entry attribute |
| Default Value | None |
| Syntax | DirectoryString |
| Example | specattrname: acctPolicySubentry |
4.7.5. stateattrname
lastLoginTime. The primary time attribute used to evaluate an account policy is set in the stateattrname attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=Account Policy Plugin,cn=plugins,cn=config |
| Valid Range | Any time-based entry attribute |
| Default Value | None |
| Syntax | DirectoryString |
| Example | stateattrname: lastLoginTime |
4.8. Auto Membership Plug-in Attributes
dn: cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberDefinition cn: Hostgroups autoMemberScope: dc=example,dc=com autoMemberFilter: objectclass=ipHost autoMemberDefaultGroup: cn=systems,cn=hostgroups,ou=groups,dc=example,dc=com autoMemberGroupingAttr: member:dn
dn: cn=webservers,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config objectclass: autoMemberRegexRule description: Group for webservers cn: webservers autoMemberTargetGroup: cn=webservers,cn=hostgroups,dc=example,dc=com autoMemberInclusiveRegex: fqdn=^www\.web[0-9]+\.example\.com
4.8.1. autoMemberDefinition (Object Class)
cn=Auto Membership Plugin,cn=plugins,cn=config.
- autoMemberScope
- autoMemberFilter
- autoMemberDefaultGroup
- autoMemberGroupingAttr
4.8.2. autoMemberDefaultGroup
| Parameter | Description |
|---|---|
| Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
| Valid Range | Any existing Directory Server group |
| Default Value | None |
| Single- or Multi-Valued | Single |
| Syntax | DirectoryString |
| Example | autoMemberDefaultGroup: cn=hostgroups,ou=groups,dc=example,dc=com |
4.8.3. autoMemberFilter
| Parameter | Description |
|---|---|
| Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
| Valid Range | Any valid LDAP search filter |
| Default Value | None |
| Single- or Multi-Valued | Single |
| Syntax | DirectoryString |
| Example | autoMemberFilter:objectclass=ntUser |
4.8.4. autoMemberGroupingAttr
groupOfUniqueNames user group, each member is added as a uniqueMember attribute. The value of uniqueMember is the DN of the user entry. In essence, each group member is identified by the attribute-value pair of uniqueMember: user_entry_DN. The member entry format, then, is uniqueMember:dn.
| Parameter | Description |
|---|---|
| Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
| Valid Range | Any Directory Server attribute |
| Default Value | None |
| Single- or Multi-Valued | Single |
| Syntax | DirectoryString |
| Example | autoMemberGroupingAttr: member:dn |
4.8.5. autoMemberScope
| Parameter | Description |
|---|---|
| Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
| Valid Range | Any Directory Server subtree |
| Default Value | None |
| Single- or Multi-Valued | Single |
| Syntax | DirectoryString |
| Example | autoMemberScope: dc=example,dc=com |
4.8.6. autoMemberRegexRule (Object Class)
objectclass: autoMemberDefinition).
- autoMemberInclusiveRegex
- autoMemberExclusiveRegex
- autoMemberTargetGroup
4.8.7. autoMemberExclusiveRegex
Note
| Parameter | Description |
|---|---|
| Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
| Valid Range | Any regular expression |
| Default Value | None |
| Single- or Multi-Valued | Multi-valued |
| Syntax | DirectoryString |
| Example | autoMemberExclusiveRegex: fqdn=^www\.web[0-9]+\.example\.com |
4.8.8. autoMemberInclusiveRegex
| Parameter | Description |
|---|---|
| Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
| Valid Range | Any regular expression |
| Default Value | None |
| Single- or Multi-Valued | Multi-valued |
| Syntax | DirectoryString |
| Example | autoMemberInclusiveRegex: fqdn=^www\.web[0-9]+\.example\.com |
4.8.9. autoMemberTargetGroup
| Parameter | Description |
|---|---|
| Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
| Valid Range | Any Directory Server group |
| Default Value | None |
| Single- or Multi-Valued | Single |
| Syntax | DirectoryString |
| Example | autoMemberTargetGroup: cn=webservers,cn=hostgroups,ou=groups,dc=example,dc=com |
4.9. Distributed Numeric Assignment Plug-in Attributes
4.9.1. dnaPluginConfig (Object Class)
top
2.16.840.1.113730.3.2.324
- dnaType
- dnaPrefix
- dnaNextValue
- dnaMaxValue
- dnaInterval
- dnaMagicRegen
- dnaFilter
- dnaScope
- dnaSharedCfgDN
- dnaThreshold
- dnaNextRange
- dnaRangeRequestTimeout
- cn
4.9.2. dnaFilter
dnaFilter attribute is required to set up distributed numeric assignment for an attribute.
| Parameter | Description |
|---|---|
| Entry DN | DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | Any valid LDAP filter |
| Default Value | None |
| Syntax | DirectoryString |
| Example | dnaFilter: (objectclass=person) |
4.9.3. dnaInterval
| Parameter | Description |
|---|---|
| Entry DN | DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | Any integer |
| Default Value | None |
| Syntax | Integer |
| Example | dnaInterval: 3 |
4.9.4. dnaMagicRegen
dnaMagicRegen value must also be an integer.
| Parameter | Description |
|---|---|
| Entry DN | DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | Any string |
| Default Value | None |
| Syntax | DirectoryString |
| Example | dnaMagicRegen: -1 |
4.9.5. dnaMaxValue
-1, which is the same as setting the highest 64-bit integer.
| Parameter | Description |
|---|---|
| Entry DN | DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | 1 to the maximum 32-bit integer on 32-bit systems and to the maximum 64-bit integer on 64-bit systems; -1 is unlimited |
| Default Value | -1 |
| Syntax | Integer |
| Example | dnaMaxValue: 1000 |
4.9.6. dnaNextRange
dnaNextRange attribute should be set explicitly only if a separate, specific range has to be assigned to other servers. Any range set in the dnaNextRange attribute must be unique from the available range for the other servers to avoid duplication. If there is no request from the other servers and the server where dnaNextRange is set explicitly has reached its set dnaMaxValue, the next set of values (part of the dnaNextRange) is allocated from this deck.
dnaNextRange allocation is also limited by the dnaThreshold attribute that is set in the DNA configuration. Any range allocated to another server for dnaNextRange cannot violate the threshold for the server, even if the range is available on the deck of dnaNextRange.
Note
dnaNextRange attribute is handled internally if it is not set explicitly. When it is handled automatically, the dnaMaxValue attribute serves as upper limit for the next range.
| Parameter | Description |
|---|---|
| Entry DN | DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | 1 to the maximum 32-bit integer on 32-bit systems and to the maximum 64-bit integer on 64-bit systems for the lower and upper ranges |
| Default Value | None |
| Syntax | DirectoryString |
| Example | dnaNextRange: 100-500 |
4.9.7. dnaNextValue
dnaNextValue attribute is required to set up distributed numeric assignment for an attribute.
| Parameter | Description |
|---|---|
| Entry DN | DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | 1 to the maximum 32-bit integer on 32-bit systems and to the maximum 64-bit integer on 64-bit systems |
| Default Value | -1 |
| Syntax | Integer |
| Example | dnaNextValue: 1 |
4.9.8. dnaPrefix
user1000, the dnaPrefix setting would be user.
dnaPrefix can hold any kind of string. However, some possible values for dnaType (such as uidNumber and gidNumber) require only integer values. To use a prefix string, consider using a custom attribute for dnaType which allows strings.
| Parameter | Description |
|---|---|
| Entry DN | DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | Any string |
| Default Value | None |
| Example | dnaPrefix: id |
4.9.9. dnaRangeRequestTimeout
dnaThreshold attribute sets a threshold of available numbers in the range, so that the server can request an additional range from the other servers before it is unable to perform number assignments.
dnaRangeRequestTimeout attribute sets a timeout period, in seconds, for range requests so that the server does not stall waiting on a new range from one server and can request a range from a new server.
dnaSharedCfgDN attribute must be set.
| Parameter | Description |
|---|---|
| Entry DN | DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | 1 to the maximum 32-bit integer on 32-bit systems and to the maximum 64-bit integer on 64-bit systems |
| Default Value | 10 |
| Syntax | Integer |
| Example | dnaRangeRequestTimeout: 15 |
4.9.10. dnaScope
ldapsearch.
| Parameter | Description |
|---|---|
| Entry DN | DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | Any Directory Server entry |
| Default Value | None |
| Syntax | DirectoryString |
| Example | dnaScope: ou=people,dc=example,dc=com |
4.9.12. dnaThreshold
dnaThreshold attribute sets a threshold of remaining available numbers in the range. When the server hits the threshold, it sends a request for a new range.
dnaSharedCfgDN attribute must be set.
| Parameter | Description |
|---|---|
| Entry DN | DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | 1 to the maximum 32-bit integer on 32-bit systems and to the maximum 64-bit integer on 64-bit systems |
| Default Value | 100 |
| Syntax | Integer |
| Example | dnaThreshold: 100 |
4.9.13. dnaType
dnaPrefix attribute is set, then the prefix value is prepended to whatever value is generated by dnaType. The dnaPrefix value can be any kind of string, but some reasonable values for dnaType (such as uidNumber and gidNumber) require only integer values. To use a prefix string, consider using a custom attribute for dnaType which allows strings.
| Parameter | Description |
|---|---|
| Entry DN | DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | Any Directory Server attribute |
| Default Value | None |
| Example | dnaType: uidNumber |
4.9.15. dnaHostname
| Parameter | Description |
|---|---|
| Entry DN | DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Syntax | DirectoryString |
| Valid Range | Any valid host name |
| Default Value | None |
| Example | dnahostname: ldap1.example.com |
4.9.16. dnaPortNum
dnaHostname.
| Parameter | Description |
|---|---|
| Entry DN | DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Syntax | Integer |
| Valid Range | 0 to 65535 |
| Default Value | 389 |
| Example | dnaPortNum: 389 |
4.9.17. dnaRemainingValues
| Parameter | Description |
|---|---|
| Entry DN | DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Syntax | Integer |
| Valid Range | Any integer |
| Default Value | None |
| Example | dnaRemainingValues: 1000 |
4.9.18. dnaSecurePortNum
dnaHostname.
| Parameter | Description |
|---|---|
| Entry DN | DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Syntax | Integer |
| Valid Range | 0 to 65535 |
| Default Value | 636 |
| Example | dnaSecurePortNum: 636 |
4.10. Linked Attributes Plug-in Attributes
member attribute in group entries to set memberOf attribute in user entries. Only with the Linked Attributes Plug-in, all of the link/managed attributes are user-defined and there can be multiple instances of the plug-in, each reflecting different link-managed relationships.
- Both the link attribute and the managed attribute must have DNs as values. The DN in the link attribute points to the entry to add the managed attribute to. The managed attribute contains the linked entry DN as its value.
- The managed attribute must be multi-valued. Otherwise, if multiple link attributes point to the same managed entry, the managed attribute value would not be updated accurately.
4.10.1. linkScope
| Parameter | Description |
|---|---|
| Entry DN | cn=plugin_instance,cn=Linked Attributes,cn=plugins,cn=config |
| Valid Range | Any DN |
| Default Value | None |
| Syntax | DN |
| Example | linkScope: ou=People,dc=example,dc=com |
4.10.2. linkType
| Parameter | Description |
|---|---|
| Entry DN | cn=plugin_instance,cn=Linked Attributes,cn=plugins,cn=config |
| Valid Range | Any Directory Server attribute |
| Default Value | None |
| Syntax | DirectoryString |
| Example | linkType: directReport |
4.10.3. managedType
| Parameter | Description |
|---|---|
| Entry DN | cn=plugin_instance,cn=Linked Attributes,cn=plugins,cn=config |
| Valid Range | Any Directory Server attribute |
| Default Value | None |
| Syntax | DN |
| Example | managedType: manager |
4.11. Managed Entries Plug-in Attributes
- The scope of the plug-in, meaning the subtree and the search filter to use to identify entries which require a corresponding managed entry
- A template entry that defines what the managed entry should look like
4.11.1. managedBase
| Parameter | Description |
|---|---|
| Entry DN | cn=instance_name,cn=Managed Entries Plugin,cn=plugins,cn=config |
| Valid Values | Any Directory Server subtree |
| Default Value | None |
| Syntax | DirectoryString |
| Example | managedBase: ou=groups,dc=example,dc=com |
4.11.2. managedTemplate
| Parameter | Description |
|---|---|
| Entry DN | cn=instance_name,cn=Managed Entries Plugin,cn=plugins,cn=config |
| Valid Values | Any Directory Server entry of the mepTemplateEntry object class |
| Default Value | None |
| Syntax | DirectoryString |
| Example | managedTemplate: cn=My Template,ou=Templates,dc=example,dc=com |
4.11.3. originFilter
| Parameter | Description |
|---|---|
| Entry DN | cn=instance_name,cn=Managed Entries Plugin,cn=plugins,cn=config |
| Valid Values | Any valid LDAP filter |
| Default Value | None |
| Syntax | DirectoryString |
| Example | originFilter: objectclass=posixAccount |
4.11.4. originScope
| Parameter | Description |
|---|---|
| Entry DN | cn=instance_name,cn=Managed Entries Plugin,cn=plugins,cn=config |
| Valid Values | Any Directory Server subtree |
| Default Value | None |
| Syntax | DirectoryString |
| Example | originScope: ou=people,dc=example,dc=com |
4.12. MemberOf Plug-in Attributes
member. Searching for the member attribute makes it easy to list all of the members for the group. However, group membership is not reflected in the member's user entry, so it is impossible to tell to what groups a person belongs by looking at the user's entry.
member) in the group entry and then working back to write the membership changes over to a specific attribute in the members' user entries.
4.12.1. memberOfAllBackends
| Parameter | Description |
|---|---|
| Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | memberOf |
| Syntax | DirectoryString |
| Example | memberOfAllBackends: on |
4.12.2. memberOfAttr
| Parameter | Description |
|---|---|
| Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
| Valid Range | Any Directory Server attribute |
| Default Value | memberOf |
| Syntax | DirectoryString |
| Example | memberOfAttr: memberOf |
4.12.3. memberOfEntryScope
memberOfEntryScope parameter enables you to set what suffixes the MemberOf plug-in works on. If the parameter is not set, the plug-in works on all suffixes. The value set in the memberOfEntryScopeExcludeSubtree parameter has a higher priority than values set in memberOfEntryScope.
| Parameter | Description |
|---|---|
| Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
| Valid Range | Any Directory Server entry DN. |
| Default Value | |
| Syntax | DirectoryString |
| Example | memberOfEntryScope: ou=people,dc=example,dc=com |
4.12.4. memberOfEntryScopeExcludeSubtree
memberOfEntryScopeExcludeSubtree parameter enables you to set what suffixes the MemberOf plug-in excludes. The value set in the memberOfEntryScopeExcludeSubtree parameter has a higher priority than values set in memberOfEntryScope. If the scopes set in both parameters overlap, the MemberOf plug-in only works on the non-overlapping directory entries.
| Parameter | Description |
|---|---|
| Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
| Valid Range | Any Directory Server entry DN. |
| Default Value | |
| Syntax | DirectoryString |
| Example | memberOfEntryScopeExcludeSubtree: ou=sample,dc=example,dc=com |
4.12.5. memberOfGroupAttr
member attribute, but it can be any membership-related attribute that contains a DN value, such as uniquemember or member.
Note
memberOfGroupAttr value, but the MemberOf Plug-in only works if the value of the target attribute contains the DN of the member entry. For example, the member attribute contains the DN of the member's user entry:
member: uid=jsmith,ou=People,dc=example,dc=com
memberURL attribute. That attribute will not work as a value for memberOfGroupAttr. The memberURL value is a URL, and a non-DN value cannot work with the MemberOf Plug-in.
| Parameter | Description |
|---|---|
| Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
| Valid Range | Any Directory Server attribute |
| Default Value | member |
| Syntax | DirectoryString |
| Example | memberOfGroupAttr: member |
4.13. Posix Winsync API Plug-in Attributes
ntUser and ntGroup attributes automatically added which identify them as Windows accounts, but no Posix attributes are synced over (even if they exist on the Active Directory entry) and no Posix attributes are added on the Directory Server side.
Note
uidNumber, gidNumber, and homeDirectory) are synchronized between Active Directory and Directory Server entries. However, if a new POSIX entry or POSIX attributes are added to an existing entry in the Directory Server, only the POSIX attributes are synchronized over to the Active Directory corresponding entry. The POSIX object class (posixAccount for users and posixGroup for groups) is not added to the Active Directory entry.
4.13.1. posixWinsyncCreateMemberOfTask
| Parameter | Description |
|---|---|
| Entry DN | cn=Posix Winsync API Plugin,cn=plugins,cn=config |
| Valid Range | true | false |
| Default Value | false |
| Example | posixWinsyncCreateMemberOfTask: false |
4.13.2. posixWinsyncLowerCaseUID
memberUID attribute in lower case.
| Parameter | Description |
|---|---|
| Entry DN | cn=Posix Winsync API Plugin,cn=plugins,cn=config |
| Valid Range | true | false |
| Default Value | false |
| Example | posixWinsyncLowerCaseUID: false |
4.13.3. posixWinsyncMapMemberUID
memberUID attribute in an Active Directory group to the uniqueMember attribute in a Directory Server group.
| Parameter | Description |
|---|---|
| Entry DN | cn=Posix Winsync API Plugin,cn=plugins,cn=config |
| Valid Range | true | false |
| Default Value | true |
| Example | posixWinsyncMapMemberUID: false |
4.13.4. posixWinsyncMapNestedGrouping
posixWinsyncMapNestedGrouping parameter manages if nested groups are updated when memberUID attributes in an Active Directory POSIX group change. Updating nested groups is supported up a depth of five levels.
| Parameter | Description |
|---|---|
| Entry DN | cn=Posix Winsync API Plugin,cn=plugins,cn=config |
| Valid Range | true | false |
| Default Value | false |
| Example | posixWinsyncMapNestedGrouping: false |
4.13.5. posixWinsyncMsSFUSchema
| Parameter | Description |
|---|---|
| Entry DN | cn=Posix Winsync API Plugin,cn=plugins,cn=config |
| Valid Range | true | false |
| Default Value | false |
| Example | posixWinsyncMsSFUSchema: true |
4.14. Retro Changelog Plug-in Attributes
- A number that uniquely identifies the modification. This number is sequential with respect to other entries in the changelog.
- The modification action; that is, exactly how the directory was modified.
cn=changelog suffix.
4.14.1. isReplicated
| Parameter | Description |
|---|---|
| OID | 2.16.840.1.113730.3.1.2085 |
| Entry DN | cn=Retro Changelog Plugin,cn=plugins,cn=config |
| Valid Values | true | false |
| Default Value | None |
| Syntax | Boolean |
| Example | isReplicated: true |
4.14.2. nsslapd-attribute
nsslapd-attribute parameter.
nsslapd-attribute value.
nsslapd-attribute: attribute:alias
Note
nsslapd-attribute attribute to isReplicated is a way of indicating, in the retro changelog entry itself, whether the modification was done on the local server (that is, whether the change is an original change) or whether the change was replicated over to the server.
| Parameter | Description |
|---|---|
| Entry DN | cn=Retro Changelog Plugin,cn=plugins,cn=config |
| Valid Values | Any valid directory attribute (standard or custom) |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-attribute: nsUniqueId: uniqueID |
4.14.3. nsslapd-changelogdir
/var/lib/dirsrv/slapd-instance_name/changelogdb.
Note
| Parameter | Description |
|---|---|
| Entry DN | cn=Retro Changelog Plugin,cn=plugins,cn=config |
| Valid Values | Any valid path to the directory |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-changelogdir: /var/lib/dirsrv/slapd-instance_name/changelogdb |
4.14.4. nsslapd-changelogmaxage (Max Changelog Age)
Note
| Parameter | Description |
|---|---|
| Entry DN | cn=Retro Changelog Plugin,cn=plugins,cn=config |
| Valid Range | 0 (meaning that entries are not removed according to their age) to the maximum 32 bit integer value (2147483647) |
| Default Value | 0 |
| Syntax |
DirectoryString Integer AgeID
AgeID is
s for seconds, m for minutes, h for hours, d for days, or w for weeks.
|
| Example | nsslapd-changelogmaxage: 30d |
4.15. RootDN Access Control Plug-in Attributes
4.15.1. rootdn-allow-host
| Parameter | Description |
|---|---|
| Entry DN | cn=RootDN Access Control Plugin,cn=plugins,cn=config |
| Valid Range | Any valid host name or domain, including asterisks (*) for wildcards |
| Default Value | None |
| Syntax | DirectoryString |
| Example | rootdn-allow-host: *.example.com |
4.15.2. rootdn-allow-ip
| Parameter | Description |
|---|---|
| Entry DN | cn=RootDN Access Control Plugin,cn=plugins,cn=config |
| Valid Range | Any valid IPv4 or IPv6 address, including asterisks (*) for wildcards |
| Default Value | None |
| Syntax | DirectoryString |
| Example | rootdn-allow-ip: 192.168.*.* |
4.15.3. rootdn-close-time
rootdn-open-time attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=RootDN Access Control Plugin,cn=plugins,cn=config |
| Valid Range | Any valid time, in a 24-hour format |
| Default Value | None |
| Syntax | Integer |
| Example | rootdn-close-time: 1700 |
4.15.4. rootdn-days-allowed
rootdn-close-time and rootdn-open-time to combine time-based access and days-of-week or it can be used by itself (with all hours allowed on allowed days).
| Parameter | Description |
|---|---|
| Entry DN | cn=RootDN Access Control Plugin,cn=plugins,cn=config |
| Valid Values |
|
| Default Value | None |
| Syntax | DirectoryString |
| Example | rootdn-days-allowed: Mon, Tue, Wed, Thu, Fri |
4.15.5. rootdn-deny-ip
Note
rootdn-allow-ip and rootdn-deny-ip attributes, it is denied access.
| Parameter | Description |
|---|---|
| Entry DN | cn=RootDN Access Control Plugin,cn=plugins,cn=config |
| Valid Range | Any valid IPv4 or IPv6 address, including asterisks (*) for wildcards |
| Default Value | None |
| Syntax | DirectoryString |
| Example | rootdn-deny-ip: 192.168.0.0 |
4.15.6. rootdn-open-time
rootdn-close-time attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=RootDN Access Control Plugin,cn=plugins,cn=config |
| Valid Range | Any valid time, in a 24-hour format |
| Default Value | None |
| Syntax | Integer |
| Example | rootdn-open-time: 0800 |
Chapter 5. Directory Entry Schema Reference
5.1. About Directory Server Schema
5.1.1. Schema Definitions
Warning
5.1.1.1. Object Classes
person and inetOrgPerson), groups (groupOfUniqueNames), locations (locality), organizations and divisions (organization and organizationalUnit), and equipment (device).
objectclasses line, then followed by its OID, name, a description, its direct superior object class (an object class which is required to be used in conjunction with the object class and which shares its attributes with this object class), and the list of required (MUST) and allowed (MAY) attributes.
Example 5.1. person Object Class Schema Entry
objectClasses: ( 2.5.6.6 NAME 'person' DESC 'Standard LDAP objectclass' SUP top MUST ( sn $ cn ) MAY ( description $ seeAlso $ telephoneNumber $ userPassword ) X-ORIGIN 'RFC 2256' )
5.1.1.1.1. Required and Allowed Attributes
person object class requires the cn, sn, and objectClass attributes and allows the description, seeAlso, telephoneNumber, and userPassword attributes.
Note
objectClass attribute, which lists the object classes assigned to the entry.
5.1.1.1.2. Object Class Inheritance
person object class, but the same person may also be described by attributes in the inetOrgPerson and organizationalPerson object classes.
inetOrgPerson object class. In that case, the entry must also include the superior object class for inetOrgPerson, organizationalPerson, and the superior object class for organizationalPerson, which is person:
objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson
inetOrgPerson object class is assigned to an entry, the entry automatically inherits the required and allowed attributes from the superior object classes.
5.1.1.2. Attributes
cn attribute is used to store a person's full name, such as cn: John Smith.
givenname: John surname: Smith mail: jsmith@example.com
attributetypes line, then followed by its OID, name, a description, syntax (allowed format for its value), optionally whether the attribute is single- or multi-valued, and where the attribute is defined.
Example 5.2. description Attribute Schema Entry
attributetypes: ( 2.5.4.13 NAME 'description' DESC 'Standard LDAP attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 2256' )
attributetypes: ( 2.5.4.3 NAME ( 'cn' 'commonName' ) ...5.1.1.2.1. Directory Server Attribute Syntaxes
Table 5.1. Supported LDAP Attribute Syntaxes
| Name | OID | Definition |
|---|---|---|
| Binary | 1.3.6.1.4.1.1466.115.121.1.5 | Deprecated. Use Octet string instead. |
| Bit String | 1.3.6.1.4.1.1466.115.121.1.6 | For values which are bitstings, such as '0101111101'B. |
| Boolean | 1.3.6.1.4.1.1466.115.121.1.7 | For attributes with only two allowed values, TRUE or FALSE. |
| Country String | 1.3.6.1.4.1.1466.115.121.1.11 | For values which are limited to exactly two printable string characters; for example, US for the United States. |
| DN | 1.3.6.1.4.1.1466.115.121.1.12 | For values which are distinguished names (DNs). |
| Delivery Method | 1.3.6.1.4.1.1466.115.121.1.14 | For values which are contained a preferred method of delivering information or contacting an entity. The different values are separated by a dollar sign ($). For example:
telephone $ physical |
| Directory String | 1.3.6.1.4.1.1466.115.121.1.15 | For values which are valid UTF-8 strings. These values are not necessarily case-insensitive. Both case-sensitive and case-insensitive matching rules are available for Directory String and related syntaxes. |
| Enhanced Guide | 1.3.6.1.4.1.1466.115.121.1.21 | For values which contain complex search parameters based on attributes and filters. |
| Facsimile | 1.3.6.1.4.1.1466.115.121.1.22 | For values which contain fax numbers. |
| Fax | 1.3.6.1.4.1.1466.115.121.1.23 | For values which contain the images of transmitted faxes. |
| Generalized Time | 1.3.6.1.4.1.1466.115.121.1.24 | For values which are encoded as printable strings. The time zone must be specified. It is strongly recommended to use GMT time. |
| Guide | 1.3.6.1.4.1.1466.115.121.1.25 | Obsolete. For values which contain complex search parameters based on attributes and filters. |
| IA5 String | 1.3.6.1.4.1.1466.115.121.1.26 | For values which are valid strings. These values are not necessarily case-insensitive. Both case-sensitive and case-insensitive matching rules are available for IA5 String and related syntaxes. |
| Integer | 1.3.6.1.4.1.1466.115.121.1.27 | For values which are whole numbers. |
| JPEG | 1.3.6.1.4.1.1466.115.121.1.28 | For values which contain image data. |
| Name and Optional UID | 1.3.6.1.4.1.1466.115.121.1.34 | For values which contain a combination value of a DN and (optional) unique ID. |
| Numeric String | 1.3.6.1.4.1.1466.115.121.1.36 | For values which contain a string of both numerals and spaces. |
| OctetString | 1.3.6.1.4.1.1466.115.121.1.40 | For values which are binary; this replaces the binary syntax. |
| OID | 1.3.6.1.4.1.1466.115.121.1.37 | For values which contain an object identifier (OID). |
| Postal Address | 1.3.6.1.4.1.1466.115.121.1.41 | For values which are encoded in the format postal-address = dstring * ("$" dstring). For example:
1234 Main St.$Raleigh, NC 12345$USAEach dstring component is encoded as a DirectoryString value. Backslashes and dollar characters, if they occur, are quoted, so that they will not be mistaken for line delimiters. Many servers limit the postal address to 6 lines of up to thirty characters. |
| PrintableString | 1.3.6.1.4.1.1466.115.121.1.58 | For values which contain strings containing alphabetic, numeral, and select punctuation characters (as defined in RFC 4517). |
| Space-Insensitive String | 2.16.840.1.113730.3.7.1 | For values which contain space-insensitive strings. |
| TelephoneNumber | 1.3.6.1.4.1.1466.115.121.1.50 | For values which are in the form of telephone numbers. It is recommended to use telephone numbers in international form. |
| Teletex Terminal Identifier | 1.3.6.1.4.1.1466.115.121.1.51 | For values which contain an international telephone number. |
| Telex Number | 1.3.6.1.4.1.1466.115.121.1.52 | For values which contain a telex number, country code, and answerback code of a telex terminal. |
| URI | For values in the form of a URL, introduced by a string such as http://, https://, ftp://, ldap://, and ldaps://. The URI has the same behavior as IA5 String. See RFC 4517 for more information on this syntax. |
5.1.1.2.2. Single- and Multi-Valued Attributes
dn: uid=jsmith,ou=marketing,ou=people,dc=example,dc=com ou: marketing ou: people
cn, tel, and objectclass attributes, for example, all can have more than one value. Attributes that are single-valued — that is, only one instance of the attribute can be specified — are specified in the schema as only allowing a single value. For example, uidNumber can only have one possible value, so its schema entry has the term SINGLE-VALUE. If the attribute is multi-valued, there is no value expression.
5.1.2. Default Directory Server Schema Files
/etc/dirsrv/schema directory. These default schema files are used to generate the schema files for new Directory Server instances. Each server instance has its own instance-specific schema directory in /etc/dirsrv/slapd-instance_name/schema. The schema files in the instance directory are used only by that instance.
99user.ldif file; other custom schema files can be added to the /etc/dirsrv/slapd-instance_name/schema directory for each instance. Do not make any modifications with the standard files that come with Red Hat Directory Server.
Table 5.2. Schema Files
| Schema File | Purpose |
|---|---|
| 00core.ldif | Recommended core schema from the X.500 and LDAP standards (RFCs). This schema is used by the Directory Server itself for the instance configuration and to start the server instance. |
| 01core389.ldif | Recommended core schema from the X.500 and LDAP standards (RFCs). This schema is used by the Directory Server itself for the instance configuration and to start the server instance. |
| 02common.ldif | Standard-related schema from RFC 2256, LDAPv3, and standard schema defined by Directory Server which is used to configure entries. |
| 05rfc2927.ldif | Schema from RFC 2927, "MIME Directory Profile for LDAP Schema." |
| 05rfc4523.ldif | Schema definitions for X.509 certificates. |
| 05rfc4524.ldif | Cosine LDAP/X.500 schema. |
| 06inetorgperson.ldif | inetorgperson schema elements from RFC 2798, RFC 2079, and part of RFC 1274. |
| 10rfc2307.ldif | Schema from RFC 2307, "An Approach for Using LDAP as a Network Information Service." |
| 20subscriber.ldif | Common schema element for Directory Server-Nortel subscriber interoperability. |
| 25java-object.ldif | Schema from RFC 2713, "Schema for Representing Java Objects in an LDAP Directory." |
| 28pilot.ldif | Schema from the pilot RFCs, especially RFC 1274, that are no longer recommended for use in new deployments. |
| 30ns-common.ldif | Common schema. |
| 50ns-admin.ldif | Schemas used by the Admin Server. |
| 50ns-certificate.ldif | Schemas used by Red Hat Certificate System. |
| 50ns-directory.ldif | Schema used by legacy Directory Server 4.x servers. |
| 50ns-mail.ldif | Schema for mail servers. |
| 50ns-value.ldif | Schema for value items in Directory Server. |
| 50ns-web.ldif | Schema for web servers. |
| 60autofs.ldif | Object classes for automount configuration; this is one of several schema files used for NIS servers. |
| 60eduperson.ldif | Schema elements for education-related people and organization entries. |
| 60mozilla.ldif | Schema elements for Mozilla-related user profiles. |
| 60nss-ldap.ldif | Schema elements for GSS-API service names. |
| 60pam-plugin.ldif | Schema elements for integrating directory services with PAM modules. |
| 60pureftpd.ldif | Schema elements for defining FTP user accounts. |
| 60rfc2739.ldif | Schema elements for calendars and vCard properties. |
| 60rfc3712.ldif | Schema elements for configuring printers. |
| 60sabayon.ldif | Schema elements for defining sabayon user entries. |
| 60sudo.ldif | Schema elements for defining sudo users and roles. |
| 60trust.ldif | Schema elements for defining trust relationships for NSS or PAM. |
| 99user.ldif | Custom schema elements added through the Directory Server Console. |
5.1.3. Object Identifiers (OIDs)
Warning
-oid and attribute_name-oid. However, using text OIDs instead of numeric OIDs can lead to problems with clients, server interoperability, and server behavior, assigning a numeric OID is strongly recommended.
1. The company then uses 1.1 for attributes, so every new attribute has an OID of 1.1.x. It uses 1.2 for object classes, so every new object class has an OID of 1.2.x.
- The Netscape base OID is
2.16.840.1.113730. - The Directory Server base OID is
2.16.840.1.113730.3. - All Netscape-defined attributes have the base OID
2.16.840.1.113370.3.1. - All Netscape-defined object classes have the base OID
2.16.840.1.113730.3.2.
5.1.4. Extending the Schema
5.1.5. Schema Checking
- Object classes and attributes used in the entry are defined in the directory schema.
- Attributes required for an object class are contained in the entry.
- Only attributes allowed by the object class are contained in the entry.
5.1.6. Syntax Validation
telephoneNumber attribute actually has a valid telephone number for its value.
- Fax (binary)
- OctetString (binary)
- JPEG (binary)
- Binary (non-standard)
- Space Insensitive String (non-standard)
- URI (non-standard)
syntax-validation.pl script.
5.2. Entry Attribute Reference
5.2.1. abstract
abstract attribute contains an abstract for a document entry.
| OID | 0.9.2342.19200300.102.1.9 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Internet White Pages Pilot |
5.2.2. accessTo
| OID | 5.3.6.1.1.1.1.1 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | nss_ldap/pam_ldap |
5.2.3. accountInactivityLimit
accountInactivityLimit attribute sets the time period, in seconds, from the last login time of an account before that account is locked for inactivity.
| OID | 1.3.6.1.4.1.11.1.3.2.1.3 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
5.2.4. acctPolicySubentry
acctPolicySubentry attribute identifies any entry which belongs to an account policy (specifically, an account lockout policy). The value of this attribute points to the account policy which is applied to the entry.
| OID | 1.3.6.1.4.1.11.1.3.2.1.2 |
| Syntax | DN |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
5.2.5. administratorContactInfo
| OID | 2.16.840.1.113730.3.1.74 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.6. adminRole
| OID | 2.16.840.1.113730.3.1.601 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape Administration Services |
5.2.7. adminUrl
| OID | 2.16.840.1.113730.3.1.75 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.8. aliasedObjectName
aliasedObjectName attribute is used by the Directory Server to identify alias entries. This attribute contains the DN (distinguished name) for the entry for which this entry is the alias. For example:
aliasedObjectName: uid=jdoe,ou=people,dc=example,dc=com
| OID | 2.5.4.1 |
| Syntax | DN |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2256 |
5.2.9. associatedDomain
associatedDomain attribute contains the DNS domain associated with the entry in the directory tree. For example, the entry with the distinguished name c=US,o=Example Corporation has the associated domain of EC.US. These domains should be represented in RFC 822 order.
associatedDomain:US
| OID | 0.9.2342.19200300.100.1.37 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.10. associatedName
associatedName identifies an organizational directory tree entry associated with a DNS domain. For example:
associatedName: c=us
| OID | 0.9.2342.19200300.100.1.38 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.11. attributeTypes
| OID | 2.5.21.5 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2252 |
5.2.12. audio
audio attribute contains a sound file using a binary format. This attribute uses a u-law encoded sound data. For example:
audio:: AAAAAA==
| OID | 0.9.2342.19200300.100.1.55 |
| Syntax | Binary |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.13. authorCn
authorCn attribute contains the common name of the document's author. For example:
authorCn: John Smith
| OID | 0.9.2342.19200300.102.1.11 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Internet White Pages Pilot |
5.2.14. authorityRevocationList
authorityRevocationList attribute contains a list of revoked CA certificates. This attribute should be requested and stored in a binary format, like authorityRevocationList;binary. For example:
authorityrevocationlist;binary:: AAAAAA==
| OID | 2.5.4.38 |
| Syntax | Binary |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.15. authorSn
authorSn attribute contains the last name or family name of the author of a document entry. For example:
authorSn: Smith
| OID | 0.9.2342.19200300.102.1.12 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Internet White Pages Pilot |
5.2.16. automountInformation
Note
automountInformation attribute is defined in 60autofs.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 60autofs.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.33 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2307 |
5.2.17. bootFile
Note
bootFile attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.24 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2307 |
5.2.18. bootParameter
rpc.bootparamd.
Note
bootParameter attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.23 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2307 |
5.2.19. buildingName
buildingName attribute contains the building name associated with the entry. For example:
buildingName: 14
| OID | 0.9.2342.19200300.100.1.48 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.20. businessCategory
businessCategory attribute identifies the type of business in which the entry is engaged. The attribute value should be a broad generalization, such as a corporate division level. For example:
businessCategory: Engineering
| OID | 2.5.4.15 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.21. c (countryName)
countryName, or c, attribute contains the two-character country code to represent the country names. The country codes are defined by the ISO. For example:
countryName: GB c: US
| OID | 2.5.4.6 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2256 |
5.2.22. cACertificate
cACertificate attribute contains a CA certificate. The attribute should be requested and stored binary format, such as cACertificate;binary. For example:
cACertificate;binary:: AAAAAA==
| OID | 2.5.4.37 |
| Syntax | Binary |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.23. carLicense
carLicense attribute contains an entry's automobile license plate number. For example:
carLicense: 6ABC246
| OID | 2.16.840.1.113730.3.1.1 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2798 |
5.2.24. certificateRevocationList
certificateRevocationList attribute contains a list of revoked user certificates. The attribute value is to be requested and stored in binary form, as certificateACertificate;binary. For example:
certificateRevocationList;binary:: AAAAAA==
| OID | 2.5.4.39 |
| Syntax | Binary |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.25. cn (commonName)
commonName attribute contains the name of an entry. For user entries, the cn attribute is typically the person's full name. For example:
commonName: John Smith cn: Bill Anderson
LDAPReplica or LDAPServerobject object classes, the cn attribute value has the following format:
cn: replicater.example.com:17430/dc%3Dexample%2Cdc%3com
| OID | 2.5.4.3 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.26. co (friendlyCountryName)
friendlyCountryName attribute contains a country name; this can be any string. Often, the country is used with the ISO-designated two-letter country code, while the co attribute contains a readable country name. For example:
friendlyCountryName: Ireland co: Ireland
| OID | 0.9.2342.19200300.100.1.43 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.27. cosAttribute
cosAttribute contains the name of the attribute for which to generate a value for the CoS. There can be more than one cosAttribute value specified. This attribute is used by all types of CoS definition entries.
| OID | 2.16.840.1.113730.3.1.550 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.28. cosIndirectSpecifier
cosIndirectSpecifier specifies the attribute values used by an indirect CoS to identify the template entry.
| OID | 2.16.840.1.113730.3.1.577 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
5.2.29. cosPriority
cosPriority attribute specifies which template provides the attribute value when CoS templates compete to provide an attribute value. This attribute represents the global priority of a template. A priority of zero is the highest priority.
| OID | 2.16.840.1.113730.3.1.569 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
5.2.30. cosSpecifier
cosSpecifier attribute contains the attribute value used by a classic CoS, which, along with the template entry's DN, identifies the template entry.
| OID | 2.16.840.1.113730.3.1.551 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
5.2.31. cosTargetTree
cosTargetTree attribute defines the subtrees to which the CoS schema applies. The values for this attribute for the schema and for multiple CoS schema may overlap their target trees arbitrarily.
| OID | 2.16.840.1.113730.3.1.552 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
5.2.32. cosTemplateDn
cosTemplateDn attribute contains the DN of the template entry which contains a list of the shared attribute values. Changes to the template entry attribute values are automatically applied to all the entries within the scope of the CoS. A single CoS might have more than one template entry associated with it.
| OID | 2.16.840.1.113730.3.1.553 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
5.2.33. crossCertificatePair
crossCertificatePair attribute must be requested and stored in binary format, such as certificateCertificateRepair;binary. For example:
crossCertificatePair;binary:: AAAAAA==
| OID | 2.5.4.40 |
| Syntax | Binary |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.34. dc (domainComponent)
dc attribute contains one component of a domain name. For example:
dc: example domainComponent: example
| OID | 0.9.2342.19200300.100.1.25 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2247 |
5.2.35. deltaRevocationList
deltaRevocationList attribute contains a certificate revocation list (CRL). The attribute value is requested and stored in binary format, such as deltaRevocationList;binary.
| OID | 2.5.4.53 |
| Syntax | Binary |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.36. departmentNumber
departmentNumber attribute contains an entry's department number. For example:
departmentNumber: 2604
| OID | 2.16.840.1.113730.3.1.2 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2798 |
5.2.37. description
description attribute provides a human-readable description for an entry. For person or organization object classes, this can be used for the entry's role or work assignment. For example:
description: Quality control inspector for the ME2873 product line.
| OID | 2.5.4.13 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.38. destinationIndicator
destinationIndicator attribute contains the city and country associated with the entry. This attribute was once required to provide public telegram service and is generally used in conjunction with the registeredAddress attribute. For example:
destinationIndicator: Stow, Ohio, USA
| OID | 2.5.4.27 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.39. displayName
displayName attributes contains the preferred name of a person to use when displaying that person's entry. This is especially useful for showing the preferred name for an entry in a one-line summary list. Since other attribute types, such as cn, are multi-valued, they cannot be used to display a preferred name. For example:
displayName: John Smith
| OID | 2.16.840.1.113730.3.1.241 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2798 |
5.2.40. dITRedirect
dITRedirect attribute indicates that the object described by one entry now has a newer entry in the directory tree. This attribute may be used when an individual's place of work changes, and the individual acquires a new organizational DN.
dITRedirect: cn=jsmith,dc=example,dc=com
| OID | 0.9.2342.19200300.100.1.54 |
| Syntax | DN |
| Defined in | RFC 1274 |
5.2.41. dmdName
dmdName attribute value specifies a directory management domain (DMD), the administrative authority that operates the Directory Server.
| OID | 2.5.4.54 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2256 |
5.2.42. dn (distinguishedName)
dn attribute contains an entry's distinguished name. For example:
dn: uid=Barbara Jensen,ou=Quality Control,dc=example,dc=com
| OID | 2.5.4.49 |
| Syntax | DN |
| Defined in | RFC 2256 |
5.2.43. dNSRecord
dNSRecord attribute contains DNS resource records, including type A (Address), type MX (Mail Exchange), type NS (Name Server), and type SOA (Start of Authority) resource records. For example:
dNSRecord: IN NS ns.uu.net
| OID | 0.9.2342.19200300.100.1.26 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Internet Directory Pilot |
5.2.44. documentAuthor
documentAuthor attribute contains the DN of the author of a document entry. For example:
documentAuthor: uid=Barbara Jensen,ou=People,dc=example,dc=com
| OID | 0.9.2342.19200300.100.1.14 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.45. documentIdentifier
documentIdentifier attribute contains a unique identifier for a document. For example:
documentIdentifier: L3204REV1
| OID | 0.9.2342.19200300.100.1.11 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.46. documentLocation
documentLocation attribute contains the location of the original version of a document. For example:
documentLocation: Department Library
| OID | 0.9.2342.19200300.100.1.15 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.47. documentPublisher
documentPublisher attribute contains the person or organization who published a document. For example:
documentPublisher: Southeastern Publishing
| OID | 0.9.2342.19200300.100.1.56 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 1274 |
5.2.48. documentStore
documentStore attribute contains information on where the document is stored.
| OID | 0.9.2342.19200300.102.1.10 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Internet White Pages Pilot |
5.2.49. documentTitle
documentTitle attribute contains a document's title. For example:
documentTitle: Red Hat Directory Server Administrator Guide
| OID | 0.9.2342.19200300.100.1.12 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.50. documentVersion
documentVersion attribute contains the current version number for the document. For example:
documentVersion: 1.1
| OID | 0.9.2342.19200300.100.1.13 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.51. drink (favouriteDrink)
favouriteDrink attribute contains a person's favorite beverage. This can be shortened to drink. For example:
favouriteDrink: iced tea drink: cranberry juice
| OID | 0.9.2342.19200300.100.1.5 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.52. dSAQuality
dSAQuality attribute contains the rating of the directory system agents' (DSA) quality. This attribute allows a DSA manager to indicate the expected level of availability of the DSA. For example:
dSAQuality: high
| OID | 0.9.2342.19200300.100.1.49 |
| Syntax | Directory-String |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 1274 |
5.2.53. employeeNumber
employeeNumber attribute contains the employee number for the person. For example:
employeeNumber: 3441
| OID | 2.16.840.1.113730.3.1.3 |
| Syntax | Directory-String |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2798 |
5.2.54. employeeType
employeeType attribute contains the employment type for the person. For example:
employeeType: Full time
| OID | 2.16.840.1.113730.3.1.4 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2798 |
5.2.55. enhancedSearchGuide
enhancedSearchGuide attribute contains information used by an X.500 client to construct search filters. For example:
enhancedSearchGuide: (uid=bjensen)
| OID | 2.5.4.47 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2798 |
5.2.56. fax (facsimileTelephoneNumber)
facsimileTelephoneNumber attribute contains the entry's facsimile number; this attribute can be abbreviated as fax. For example:
facsimileTelephoneNumber: +1 415 555 1212 fax: +1 415 555 1212
| OID | 2.5.4.23 |
| Syntax | TelephoneNumber |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.57. gecos
gecos attribute is used to determine the GECOS field for the user. This is comparable to the cn attribute, although using a gecos attribute allows additional information to be embedded in the GECOS field aside from the common name. This field is also useful if the common name stored in the directory is not the user's full name.
gecos: John Smith
Note
gecos attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.2 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2307 |
5.2.58. generationQualifier
generationQualifier attribute contains the generation qualifier for a person's name, which is usually appended as a suffix to the name. For example:
generationQualifier:III
| OID | 2.5.4.44 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.59. gidNumber
gidNumber attribute contains a unique numeric identifier for a group entry or to identify the group for a user entry. This is analogous to the group number in Unix.
gidNumber: 100
Note
gidNumber attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.1 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2307 |
5.2.60. givenName
givenName attribute contains an entry's given name, which is usually the first name. For example:
givenName: Rachel
| OID | 2.5.4.42 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.61. homeDirectory
homeDirectory attribute contains the path to the user's home directory.
homeDirectory: /home/jsmith
Note
homeDirectory attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.3 |
| Syntax | IA5String |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2307 |
5.2.62. homePhone
homePhone attribute contains the entry's residential phone number. For example:
homePhone: 415-555-1234
Note
homeTelephoneNumber and homePhone as names for the residential phone number attribute, Directory Server only implements the homePhone name.
| OID | 0.9.2342.19200300.100.1.20 |
| Syntax | TelephoneNumber |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.63. homePostalAddress
homePostalAddress attribute contains an entry's home mailing address. Since this attribute generally spans multiple lines, each line break has to be represented by a dollar sign ($). To represent an actual dollar sign ($) or backslash (\) in the attribute value, use the escaped hex values \24 and \5c, respectively. For example:
homePostalAddress: 1234 Ridgeway Drive$Santa Clara, CA$99555
The dollar ($) value can be found in the c:\cost file.
The dollar (\24) value can be found$in the c:\c5cost file.
| OID | 0.9.2342.19200300.100.1.39 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.64. host
host contains the host name of a computer. For example:
host: labcontroller01
| OID | 0.9.2342.19200300.100.1.9 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.65. houseIdentifier
houseIdentifier contains an identifier for a specific building at a location. For example:
houseIdentifier: B105
| OID | 2.5.4.51 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.66. inetDomainBaseDN
| OID | 2.16.840.1.113730.3.1.690 |
| Syntax | DN |
| Multi- or Single-Valued | Single-valued |
| Defined in | Subscriber interoperability |
5.2.67. inetDomainStatus
active, inactive, or deleted.
| OID | 2.16.840.1.113730.3.1.691 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Subscriber interoperability |
5.2.68. inetSubscriberAccountId
| OID | 2.16.840.1.113730.3.1.694 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Subscriber interoperability |
5.2.69. inetSubscriberChallenge
inetSubscriberChallenge attribute contains some kind of question or prompt, the challenge phrase, which is used to confirm the identity of the user in the subscriberIdentity attribute. This attribute is used in conjunction with the inetSubscriberResponse attribute, which contains the response to the challenge.
| OID | 2.16.840.1.113730.3.1.695 |
| Syntax | IA5String |
| Multi- or Single-Valued | Single-valued |
| Defined in | Subscriber interoperability |
5.2.70. inetSubscriberResponse
inetSubscriberResponse attribute contains the answer to the challenge question in the inetSubscriberChallenge attribute to verify the user in the subscriberIdentity attribute.
| OID | 2.16.840.1.113730.3.1.696 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Subscriber interoperability |
5.2.71. inetUserHttpURL
| OID | 2.16.840.1.113730.3.1.693 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Subscriber interoperability |
5.2.72. inetUserStatus
active, inactive, or deleted.
| OID | 2.16.840.1.113730.3.1.692 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-Valued |
| Defined in | Subscriber interoperability |
5.2.73. info
info attribute contains any general information about an object. Avoid using this attribute for specific information and rely instead on specific, possibly custom, attribute types. For example:
info: not valid
| OID | 0.9.2342.19200300.100.1.4 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.74. initials
initials contains a person's initials; this does not contain the entry's surname. For example:
initials: BAJ
initials attribute differently. The Directory Server allows a practically unlimited number of characters, while Active Directory has a restriction of six characters. If an entry is synced with a Windows peer and the value of the initials attribute is longer than six characters, then the value is automatically truncated to six characters when it is synchronized. There is no information written to the error log to indicate that synchronization changed the attribute value, either.
| OID | 2.5.4.43 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.75. installationTimeStamp
| OID | 2.16.840.1.113730.3.1.73 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-Valued |
| Defined in | Netscape Administration Services |
5.2.76. internationalISDNNumber
internationalISDNNumber attribute contains the ISDN number of a document entry. This attribute uses the internationally recognized format for ISDN addresses given in CCITT Rec. E. 164.
| OID | 2.5.4.25 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.77. ipHostNumber
Note
ipHostNumber attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.19 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-Valued |
| Defined in | RFC 2307 |
5.2.78. ipNetmaskNumber
Note
ipHostNumber attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 2.16.840.1.113730.3.1.73 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-Valued |
| Defined in | RFC 2307 |
5.2.79. ipNetworkNumber
Note
ipNetworkNumber attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.20 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-Valued |
| Defined in | RFC 2307 |
5.2.80. ipProtocolNumber
Note
ipProtocolNumber attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.17 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-Valued |
| Defined in | RFC 2307 |
5.2.81. ipServicePort
Note
ipServicePort attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.15 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-Valued |
| Defined in | RFC 2307 |
5.2.82. ipServiceProtocol
Note
ipServiceProtocol attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.16 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-Valued |
| Defined in | RFC 2307 |
5.2.83. janetMailbox
janetMailbox contains a JANET email address, usually for users located in the United Kingdom who do not use RFC 822 email address. Entries with this attribute must also contain the rfc822Mailbox attribute.
| OID | 0.9.2342.19200300.100.1.46 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.84. jpegPhoto
jpegPhoto attribute contains a JPEG photo, a binary value. For example:
jpegPhoto:: AAAAAA==
| OID | 0.9.2342.19200300.100.1.60 |
| Syntax | Binary |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2798 |
5.2.85. keyWords
keyWord attribute contains keywords associated with the entry. For example:
keyWords: directory LDAP X.500
| OID | 0.9.2342.19200300.102.1.7 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Internet White Pages Pilot |
5.2.86. knowledgeInformation
| OID |
2.5.4.2
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.87. l (localityName)
localityName, or l, attribute contains the county, city, or other geographical designation associated with the entry. For example:
localityName: Santa Clara l: Santa Clara
| OID | 2.5.4.7 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.88. labeledURI
labeledURI contains a Uniform Resource Identifier (URI) which is related, in some way, to the entry. Values placed in the attribute should consist of a URI (currently only URLs are supported), optionally followed by one or more space characters and a label.
labeledURI: http://home.example.com labeledURI: http://home.example.com Example website
| OID | 1.3.6.1.4.1.250.1.57 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2709 |
5.2.89. loginShell
loginShell attribute contains the path to a script that is launched automatically when a user logs into the domain.
loginShell: c:\scripts\jsmith.bat
Note
loginShell attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.4 |
| Syntax | IA5String |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2307 |
5.2.90. macAddress
Note
macAddress attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.22 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2307 |
5.2.91. mail
mail attribute contains a user's primary email address. This attribute value is retrieved and displayed by whitepage applications. For example:
mail: jsmith@example.com
| OID | 0.9.2342.19200300.100.1.3 |
| Syntax | DirectyString |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 1274 |
5.2.92. mailAccessDomain
| OID | 2.16.840.1.113730.3.1.12 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.93. mailAlternateAddress
mailAlternateAddress attribute contains additional email addresses for a user. This attribute does not reflect the default or primary email address; that email address is set by the mail attribute.
mailAlternateAddress: jsmith@example.com mailAlternateAddress: smith1701@alt.com
| OID | 2.16.840.1.113730.3.1.13 |
| Syntax | DirectyString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.94. mailAutoReplyMode
| OID | 2.16.840.1.113730.3.1.14 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.95. mailAutoReplyText
| OID | 2.16.840.1.113730.3.1.15 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.96. mailDeliveryOption
| OID | 2.16.840.1.113730.3.1.16 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.97. mailEnhancedUniqueMember
| OID | 2.16.840.1.113730.3.1.31 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.98. mailForwardingAddress
| OID | 2.16.840.1.113730.3.1.17 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.99. mailHost
mailHost attribute contains the host name of a mail server. For example:
mailHost: mail.example.com
| OID | 2.16.840.1.113730.3.1.18 |
| Syntax | DirectyString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.100. mailMessageStore
| OID | 2.16.840.1.113730.3.1.19 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.101. mailPreferenceOption
mailPreferenceOption defines whether a user should be included on a mailing list, both electronic and physical. There are three options.
| 0 | Does not appear in mailing lists. |
| 1 | Add to any mailing lists. |
| 2 | Added only to mailing lists which the provider views as relevant to the user interest. |
mailPreferenceOption: 0
| OID | 0.9.2342.19200300.100.1.47 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 1274 |
5.2.102. mailProgramDeliveryInfo
| OID | 2.16.840.1.113730.3.1.20 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.103. mailQuota
| OID | 2.16.840.1.113730.3.1.21 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.104. mailRoutingAddress
| OID | 2.16.840.1.113730.3.1.24 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.105. manager
manager contains the distinguished name (DN) of the manager for the person. For example:
manager: cn=Bill Andersen,ou=Quality Control,dc=example,dc=com
| OID | 0.9.2342.19200300.100.1.10 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.106. member
member attribute contains the distinguished names (DNs) of each member of a group. For example:
member: cn=John Smith,dc=example,dc=com
| OID | 2.5.4.31 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.107. memberCertificateDescription
memberCertificateDescription matches any certificate that contains a subject DN with the same attribute-value assertions (AVAs) as the description. The description may contain multiple ou AVAs. A matching DN must contain those same ou AVAs, in the same order, although it may be interspersed with other AVAs, including other ou AVAs. For any other attribute type (not ou), there should be at most one AVA of that type in the description. If there are several, all but the last are ignored.
memberCertificateDescription value, a certificate needs to include ou=x, ou=A, and dc=example, but not dc=company.
memberCertificateDescription: {ou=x,ou=A,dc=company,dc=example}ou attribute types in the same order as defined in the memberCertificateDescription attribute.
| OID | 2.16.840.1.113730.3.1.199 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.108. memberNisNetgroup
Note
memberNisNetgroup attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.13 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2307 |
5.2.109. memberOf
memberOf is the default attribute generated by the MemberOf Plug-in on the user entry of a group member. This attribute is automatically synchronized to the listed member attributes in a group entry, so that displaying group membership for entries is managed by Directory Server.
Note
| OID | 1.2.840.113556.1.2.102 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Delegated Administrator |
5.2.110. memberUid
memberUid attribute contains the login name of the member of a group; this can be different than the DN identified in the member attribute.
memberUID: jsmith
Note
memberUID attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.12 |
| Syntax | IA5String |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2307 |
5.2.111. memberURL
memberURL: ldap://cn=jsmith,ou=people,dc=example,dc=com
| OID | 2.16.840.1.113730.3.1.198 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.112. mepManagedBy
| OID | 2.16.840.1.113730.3.1.2086 |
| Syntax | DN |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
5.2.113. mepManagedEntry
| OID | 2.16.840.1.113730.3.1.2087 |
| Syntax | DN |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
5.2.114. mepMappedAttr
mepMappedAttr: gidNumber: $gidNumber
mepMappedAttr: cn: Managed Group for $cn
| OID | 2.16.840.1.113730.3.1.2089 |
| Syntax | OctetString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.115. mepRDNAttr
mepMappedAttr.
| OID | 2.16.840.1.113730.3.1.2090 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
5.2.116. mepStaticAttr
mepStaticAttr: posixGroup
| OID | 2.16.840.1.113730.3.1.2088 |
| Syntax | OctetString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.117. mgrpAddHeader
| OID | 2.16.840.1.113730.3.1.781 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.118. mgrpAllowedBroadcaster
| OID | 2.16.840.1.113730.3.1.22 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.119. mgrpAllowedDomain
| OID | 2.16.840.1.113730.3.1.23 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.120. mgrpApprovePassword
| OID | mgrpApprovePassword-oid |
| Syntax | IA5String |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape Messaging Server |
5.2.121. mgrpBroadcasterPolicy
| OID | 2.16.840.1.113730.3.1.788 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.122. mgrpDeliverTo
| OID | 2.16.840.1.113730.3.1.25 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.123. mgrpErrorsTo
| OID | 2.16.840.1.113730.3.1.26 |
| Syntax | IA5String |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape Messaging Server |
5.2.124. mgrpModerator
| OID | 2.16.840.1.113730.3.1.33 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.125. mgrpMsgMaxSize
| OID | 2.16.840.1.113730.3.1.32 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape Messaging Server |
5.2.126. mgrpMsgRejectAction
| OID | 2.16.840.1.113730.3.1.28 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.127. mgrpMsgRejectText
| OID | 2.16.840.1.113730.3.1.29 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.128. mgrpNoDuplicateChecks
| OID | 2.16.840.1.113730.3.1.789 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape Messaging Server |
5.2.129. mgrpRemoveHeader
| OID | 2.16.840.1.113730.3.1.801 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.130. mgrpRFC822MailMember
| OID | 2.16.840.1.113730.3.1.30 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.131. mobile
mobile, or mobileTelephoneNumber, contains the entry's mobile or cellular phone number. For example:
mobileTelephoneNumber: 415-555-4321
| OID | 0.9.2342.19200300.100.1.41 |
| Syntax | TelephoneNumber |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.132. mozillaCustom1
| OID | 1.3.6.1.4.1.13769.4.1 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Mozilla Address Book |
5.2.133. mozillaCustom2
| OID | 1.3.6.1.4.1.13769.4.2 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Mozilla Address Book |
5.2.134. mozillaCustom3
| OID | 1.3.6.1.4.1.13769.4.3 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Mozilla Address Book |
5.2.135. mozillaCustom4
| OID | 1.3.6.1.4.1.13769.4.4 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Mozilla Address Book |
5.2.136. mozillaHomeCountryName
| OID | 1.3.6.1.4.1.13769.3.6 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Mozilla Address Book |
5.2.137. mozillaHomeLocalityName
| OID | 1.3.6.1.4.1.13769.3.3 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Mozilla Address Book |
5.2.138. mozillaHomePostalCode
| OID | 1.3.6.1.4.1.13769.3.5 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Mozilla Address Book |
5.2.139. mozillaHomeState
| OID | 1.3.6.1.4.1.13769.3.4 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Mozilla Address Book |
5.2.140. mozillaHomeStreet
| OID | 1.3.6.1.4.1.13769.3.1 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Mozilla Address Book |
5.2.141. mozillaHomeStreet2
| OID | 1.3.6.1.4.1.13769.3.2 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Mozilla Address Book |
5.2.142. mozillaHomeUrl
| OID | 1.3.6.1.4.1.13769.3.7 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Mozilla Address Book |
5.2.143. mozillaNickname (xmozillanickname)
| OID | 1.3.6.1.4.1.13769.2.1 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Mozilla Address Book |
5.2.144. mozillaSecondEmail (xmozillasecondemail)
| OID | 1.3.6.1.4.1.13769.2.2 |
| Syntax | IA5String |
| Multi- or Single-Valued | Single-valued |
| Defined in | Mozilla Address Book |
5.2.145. mozillaUseHtmlMail (xmozillausehtmlmail)
| OID | 1.3.6.1.4.1.13769.2.3 |
| Syntax | Boolean |
| Multi- or Single-Valued | Single-valued |
| Defined in | Mozilla Address Book |
5.2.146. mozillaWorkStreet2
| OID | 1.3.6.1.4.1.13769.3.8 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Mozilla Address Book |
5.2.147. mozillaWorkUrl
| OID | 1.3.6.1.4.1.13769.3.9 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Mozilla Address Book |
5.2.148. multiLineDescription
| OID | 1.3.6.1.4.1.250.1.2 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Internet White Pages Pilot |
5.2.149. name
name attribute identifies the attribute supertype which can be used to form string attribute types for naming.
| OID | 2.5.4.41 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.150. netscapeReversiblePassword
| OID | 2.16.840.1.113730.3.1.812 |
| Syntax | OctetString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Web Server |
5.2.151. nisMapEntry
Note
10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.27 |
| Syntax | IA5String |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2307 |
5.2.152. nisMapName
| OID | 1.3.6.1.1.1.1.26 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2307 |
5.2.153. nisNetgroupTriple
Note
10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.14 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2307 |
5.2.154. nsAccessLog
| OID |
nsAccessLog-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.155. nsAdminAccessAddresses
| OID |
nsAdminAccessAddresses-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.156. nsAdminAccessHosts
| OID |
nsAdminAccessHosts-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.157. nsAdminAccountInfo
| OID |
nsAdminAccountInfo-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.158. nsAdminCacheLifetime
| OID |
nsAdminCacheLifetime-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.159. nsAdminCgiWaitPid
| OID |
nsAdminCgiWaitPid-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.160. nsAdminDomainName
| OID |
nsAdminDomainName-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.161. nsAdminEnableEnduser
| OID |
nsAdminEnableEnduser-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.162. nsAdminEndUserHTMLIndex
| OID |
nsAdminEndUserHTMLIndex-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.163. nsAdminGroupName
| OID |
nsAdminGroupName-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.164. nsAdminOneACLDir
| OID |
nsAdminOneACLDir-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.165. nsAdminSIEDN
| OID |
nsAdminSIEDN-oid
|
| Syntax |
DN
|
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.166. nsAdminUsers
| OID |
nsAdminUsers-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.167. nsAIMid
| OID | 2.16.840.1.113730.3.2.300 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.168. nsBaseDN
| OID |
nsBaseDN-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.169. nsBindDN
| OID |
nsBindDN-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.170. nsBindPassword
nsBindDN.
| OID |
nsBindPassword-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.171. nsBuildNumber
| OID |
nsBuildNumber-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.172. nsBuildSecurity
| OID |
nsBuildSecurity-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.173. nsCertConfig
| OID |
nsCertConfig-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Certificate System |
5.2.174. nsClassName
| OID |
nsClassname-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.175. nsConfigRoot
| OID |
nsConfigRoot-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.176. nscpAIMScreenname
| OID | 1.3.6.1.4.1.13769.2.4 |
| Syntax | TelephoneString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Mozilla Address Book |
5.2.177. nsDefaultAcceptLanguage
| OID |
nsDefaultAcceptLanguage-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.178. nsDefaultObjectClass
| OID |
nsDefaultObjectClass-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.179. nsDeleteclassname
| OID |
nsDeleteclassname-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.180. nsDirectoryFailoverList
| OID |
nsDirectoryFailoverList-oid
|
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.181. nsDirectoryInfoRef
| OID |
nsDirectoryInfoRef-oid
|
| Syntax |
DN
|
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.182. nsDirectoryURL
| OID |
nsDirectoryURL-oid
|
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.183. nsDisplayName
| OID |
nsDisplayName-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.184. nsErrorLog
| OID |
nsErrorLog-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.185. nsExecRef
| OID |
nsExecRef-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.186. nsExpirationDate
| OID |
nsExpirationDate-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.187. nsGroupRDNComponent
| OID |
nsGroupRDNComponent-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.188. nsHardwarePlatform
uname -m. For example:
nsHardwarePlatform:i686
| OID |
nsHardwarePlatform-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.189. nsHelpRef
| OID |
nsHelpRef-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.190. nsHostLocation
| OID |
nsHostLocation-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.191. nsICQid
| OID | 2.16.840.1.113730.3.1.2014 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.192. nsInstalledLocation
| OID |
nsInstalledLocation-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.193. nsJarfilename
| OID |
nsJarfilename-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.194. nsLdapSchemaVersion
| OID |
nsLdapSchemaVersion-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.195. nsLicensedFor
nsLicensedFor attribute identifies the server the user is licensed to use. Admin Server expects each nsLicenseUser entry to contain zero or more instances of this attribute. Valid keywords for this attribute include the following:
slapdfor a licensed Directory Server client.mailfor a licensed mail server client.newsfor a licensed news server client.calfor a licensed calender server client.
nsLicensedFor: slapd
| OID | 2.16.840.1.113730.3.1.36 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Admin Server |
5.2.196. nsLicenseEndTime
| OID |
2.16.840.1.113730.3.1.38
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Admin Server |
5.2.197. nsLicenseStartTime
| OID |
2.16.840.1.113730.3.1.37
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Admin Server |
5.2.198. nsLogSuppress
| OID |
nsLogSuppress-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape |
5.2.199. nsmsgDisallowAccess
| OID |
nsmsgDisallowAccess-oid
|
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.200. nsmsgNumMsgQuota
| OID |
nsmsgNumMsgQuota-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.201. nsMSNid
| OID | 2.16.840.1.113730.3.1.2016 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.202. nsNickName
| OID |
nsNickName-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape |
5.2.203. nsNYR
| OID |
nsNYR-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Administration Services |
5.2.204. nsOsVersion
| OID |
nsOsVersion-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape |
5.2.205. nsPidLog
| OID |
nsPidLog-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape |
5.2.206. nsPreference
| OID |
nsPreference-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.207. nsProductName
| OID |
nsProductName-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape |
5.2.208. nsProductVersion
| OID |
nsProductVersion-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape |
5.2.209. nsRevisionNumber
| OID |
nsRevisionNumber-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape |
5.2.210. nsSecureServerPort
Note
nsslapd-secureport configuration attribute in the Directory Server's dse.ldif file. Configuration attributes are described in the Configuration, Command, and File Reference.
| OID |
nsSecureServerPort-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.211. nsSerialNumber
| OID |
nsSerialNumber-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape |
5.2.212. nsServerAddress
| OID |
nsServerAddress-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape |
5.2.213. nsServerCreationClassname
| OID |
nsServerCreationClassname-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape |
5.2.214. nsServerID
nsServerID: slapd-example
| OID |
nsServerID-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape |
5.2.215. nsServerMigrationClassname
| OID |
nsServerMigrationClassname-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape |
5.2.216. nsServerPort
Note
nsslapd-port configuration attribute in the Directory Server's dse.ldif file. Configuration attributes are described in the Configuration, Command, and File Reference.
| OID |
nsServerPort-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape |
5.2.217. nsServerSecurity
| OID |
nsServerSecurity-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape |
5.2.218. nsSNMPContact
| OID | 2.16.840.1.113730.3.1.235 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.219. nsSNMPDescription
| OID | 2.16.840.1.113730.3.1.236 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.220. nsSNMPEnabled
| OID | 2.16.840.1.113730.3.1.232 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.221. nsSNMPLocation
| OID | 2.16.840.1.113730.3.1.234 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.222. nsSNMPMasterHost
| OID | 2.16.840.1.113730.3.1.237 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.223. nsSNMPMasterPort
| OID | 2.16.840.1.113730.3.1.238 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.224. nsSNMPOrganization
| OID | 2.16.840.1.113730.3.1.233 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.225. nsSuiteSpotUser
| OID |
nsSuiteSpotUser-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape |
5.2.226. nsTaskLabel
| OID |
nsTaskLabel-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape |
5.2.227. nsUniqueAttribute
| OID |
nsUniqueAttribute-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.228. nsUserIDFormat
uid attribute from the givenname and sn attributes.
| OID |
nsUserIDFormat-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.229. nsUserRDNComponent
| OID |
nsUserRDNComponent-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.230. nsValueBin
| OID | 2.16.840.1.113730.3.1.247 |
| Syntax |
Binary
|
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape servers — value item |
5.2.231. nsValueCES
| OID | 2.16.840.1.113730.3.1.244 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape servers — value item |
5.2.232. nsValueCIS
| OID | 2.16.840.1.113730.3.1.243 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape servers — value item |
5.2.233. nsValueDefault
| OID | 2.16.840.1.113730.3.1.250 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape servers — value item |
5.2.234. nsValueDescription
| OID | 2.16.840.1.113730.3.1.252 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape servers — value item |
5.2.235. nsValueDN
| OID | 2.16.840.1.113730.3.1.248 |
| Syntax |
DN
|
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape servers — value item |
5.2.236. nsValueFlags
| OID | 2.16.840.1.113730.3.1.251 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape servers — value item |
5.2.237. nsValueHelpURL
| OID | 2.16.840.1.113730.3.1.254 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape servers — value item |
5.2.238. nsValueInt
| OID | 2.16.840.1.113730.3.1.246 |
| Syntax |
Integer
|
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape servers — value item |
5.2.239. nsValueSyntax
| OID | 2.16.840.1.113730.3.1.253 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape servers — value item |
5.2.240. nsValueTel
| OID | 2.16.840.1.113730.3.1.245 |
| Syntax | TelephoneString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape servers — value item |
5.2.241. nsValueType
| OID | 2.16.840.1.113730.3.1.249 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape servers — value item |
5.2.242. nsVendor
| OID |
nsVendor-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape |
5.2.243. nsViewConfiguration
| OID |
nsViewConfiguration-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.244. nsViewFilter
| OID | 2.16.840.1.113730.3.1.3023 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.245. nsWellKnownJarfiles
| OID |
nsWellKnownJarfiles-oid
|
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.246. nswmExtendedUserPrefs
| OID | 2.16.840.1.113730.3.1.520 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.247. nsYIMid
| OID | 2.16.840.1.113730.3.1.2015 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
5.2.248. ntGroupAttributes
ntGroupAttributes:: IyEvYmluL2tzaAoKIwojIGRlZmF1bHQgdmFsdWUKIwpIPSJgaG9zdG5hb
| OID | 2.16.840.1.113730.3.1.536 |
| Syntax | Binary |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.249. ntGroupCreateNewGroup
ntGroupCreateNewGroup attribute is used by Windows Sync to determine whether the Directory Server should create new group entry when a new group is created on a Windows server. true creates the new entry; false ignores the Windows entry.
| OID | 2.16.840.1.113730.3.1.45 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.250. ntGroupDeleteGroup
ntGroupDeleteGroup attribute is used by Windows Sync to determine whether the Directory Server should delete a group entry when the group is deleted on a Windows sync peer server. true means the account is deleted; false ignores the deletion.
| OID | 2.16.840.1.113730.3.1.46 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.251. ntGroupDomainId
ntGroupDomainID attribute contains the domain ID string for a group.
ntGroupDomainId: DS HR Group
| OID | 2.16.840.1.113730.3.1.44 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.252. ntGroupId
ntGroupId attribute points to a binary file which identifies the group. For example:
ntGroupId: IOUnHNjjRgghghREgfvItrGHyuTYhjIOhTYtyHJuSDwOopKLhjGbnGFtr
| OID | 2.16.840.1.113730.3.1.110 |
| Syntax | Binary |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.253. ntGroupType
ntGroupType attribute identifies the type of Windows group. The valid values are as follows:
-21483646for global/security-21483644for domain local/security2for global/distribution4for domain local/distribution
ntGroupType: -21483646
| OID | 2.16.840.1.113730.3.1.47 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.254. ntUniqueId
ntUniqueId attribute contains a generated number used for internal server identification and operation. For example:
ntUniqueId: 352562404224a44ab040df02e4ef500b
| OID | 2.16.840.1.113730.3.1.111 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.255. ntUserAcctExpires
ntUserAcctExpires: 20081015203415
| OID | 2.16.840.1.113730.3.1.528 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.256. ntUserAuthFlags
| OID | 2.16.840.1.113730.3.1.60 |
| Syntax | Binary |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.257. ntUserBadPwCount
| OID | 2.16.840.1.113730.3.1.531 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.258. ntUserCodePage
ntUserCodePage attribute contains the code page for the user's language of choice. For example:
ntUserCodePage: AAAAAA==
| OID | 2.16.840.1.113730.3.1.533 |
| Syntax | Binary |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.259. ntUserComment
| OID | 2.16.840.1.113730.3.1.522 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.260. ntUserCountryCode
| OID | 2.16.840.1.113730.3.1.532 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.261. ntUserCreateNewAccount
ntUserCreateNewAccount attribute is used by Windows Sync to determine whether the Directory Server should create a new user entry when a new user is created on a Windows server. true creates the new entry; false ignores the Windows entry.
| OID | 2.16.840.1.113730.3.1.42 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.262. ntUserDeleteAccount
ntUserDeleteAccount attribute IS Used by Windows Sync to determine whether a Directory Server entry will be automatically deleted when the user is deleted from the Windows sync peer server. true means the user entry is deleted; false ignores the deletion.
| OID | 2.16.840.1.113730.3.1.43 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.263. ntUserDomainId
ntUserDomainId attribute contains the Windows domain login ID. For example:
ntUserDomainId: jsmith
| OID | 2.16.840.1.113730.3.1.41 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.264. ntUserFlags
| OID | 2.16.840.1.113730.3.1.523 |
| Syntax | Binary |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.265. ntUserHomeDir
ntUserHomeDir attribute contains an ASCII string representing the Windows user's home directory. This attribute can be null. For example:
ntUserHomeDir: c:\jsmith
| OID | 2.16.840.1.113730.3.1.521 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.266. ntUserHomeDirDrive
| OID | 2.16.840.1.113730.3.1.535 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.267. ntUserLastLogoff
ntUserLastLogoff attribute contains the time of the last logoff. This value is stored as a string in GMT format.
ntUserLastLogoff: 20171015203415Z
| OID | 2.16.840.1.113730.3.1.527 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.268. ntUserLastLogon
ntUserLastLogon attribute contains the time that the user last logged into the Windows domain. This value is stored as a string in GMT format. If security logging is turned on, then this attribute is updated on synchronization only if some other aspect of the user's entry has changed.
ntUserLastLogon: 20171015203415Z
| OID | 2.16.840.1.113730.3.1.526 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.269. ntUserLogonHours
ntUserLogonHours attribute contains the time periods that a user is allowed to log onto the Active Directory domain. This attribute corresponds to the logonHours attribute in Active Directory.
| OID | 2.16.840.1.113730.3.1.530 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.270. ntUserLogonServer
ntUserLogonServer attribute defines the Active Directory server to which the user's logon request is forwarded.
| OID | 2.16.840.1.113730.3.1.65 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.271. ntUserMaxStorage
ntUserMaxStorage attribute contains the maximum amount of disk space available for the user.
ntUserMaxStorage: 4294967295
| OID | 2.16.840.1.113730.3.1.529 |
| Syntax | Binary |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.272. ntUserNumLogons
| OID | 2.16.840.1.113730.3.1.64 |
| Syntax | Binary |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.273. ntUserParms
ntUserParms attribute contains a Unicode string reserved for use by applications.
| OID | 2.16.840.1.113730.3.1.62 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.274. ntUserPasswordExpired
| OID | 2.16.840.1.113730.3.1.68 |
| Syntax | Binary |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.275. ntUserPrimaryGroupId
ntUserPrimaryGroupId attribute contains the group ID of the primary group to which the user belongs.
| OID | 2.16.840.1.113730.3.1.534 |
| Syntax | Binary |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.276. ntUserPriv
| OID | 2.16.840.1.113730.3.1.59 |
| Syntax | Binary |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.277. ntUserProfile
ntUserProfile attribute contains the path to a user's profile. For example:
ntUserProfile: c:\jsmith\profile.txt
| OID | 2.16.840.1.113730.3.1.67 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.278. ntUserScriptPath
ntUserScriptPath attribute contains the path to an ASCII script used by the user to log into the domain.
ntUserScriptPath: c:\jstorm\lscript.bat
| OID | 2.16.840.1.113730.3.1.524 |
| Syntax | Binary |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.279. ntUserUniqueId
ntUserUniqueId attribute contains a unique numeric ID for the Windows user.
| OID | 2.16.840.1.113730.3.1.66 |
| Syntax | Binary |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.280. ntUserUnitsPerWeek
ntUserUnitsPerWeek attribute contains the total amount of time that the user has spent logged into the Active Directory domain.
| OID | 2.16.840.1.113730.3.1.63 |
| Syntax | Binary |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.281. ntUserUsrComment
ntUserUsrComment attribute contains additional comments about the user.
| OID | 2.16.840.1.113730.3.1.61 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.282. ntUserWorkstations
ntUserWorkstations attribute contains a list of names, in ASCII strings, of work stations which the user is allowed to log in to. There can be up to eight work stations listed, separated by commas. Specify null to permit users to log on from any workstation. For example:
ntUserWorkstations: firefly
| OID | 2.16.840.1.113730.3.1.525 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape NT Synchronization |
5.2.283. o (organizationName)
organizationName, or o, attribute contains the organization name. For example:
organizationName: Example Corporation o: Example Corporation
| OID | 2.5.4.10 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.284. objectClass
objectClass attribute identifies the object classes used for an entry. For example:
objectClass: person
| OID | 2.5.4.0 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.285. objectClasses
| OID | 2.5.21.6 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2252 |
5.2.286. obsoletedByDocument
obsoletedByDocument attribute contains the distinguished name of a document which obsoletes the current document entry.
| OID | 0.9.2342.19200300.102.1.4 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Internet White Pages Pilot |
5.2.287. obsoletesDocument
obsoletesDocument attribute contains the distinguished name of a documented which is obsoleted by the current document entry.
| OID | 0.9.2342.19200300.102.1.3 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Internet White Pages Pilot |
5.2.288. oncRpcNumber
oncRpcNumber attribute contains part of the RPC map and stores the RPC number for UNIX RPCs.
Note
oncRpcNumber attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.18 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2307 |
5.2.289. organizationalStatus
organizationalStatus identifies the person's category within an organization.
organizationalStatus: researcher
| OID | 0.9.2342.19200300.100.1.45 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.290. otherMailbox
otherMailbox attribute contains values for email types other than X.400 and RFC 822.
otherMailbox: internet $ jsmith@example.com
| OID | 0.9.2342.19200300.100.1.22 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.291. ou (organizationalUnitName)
organizationalUnitName, or ou, contains the name of an organizational division or a subtree within the directory hierarchy.
organizationalUnitName: Marketing ou: Marketing
| OID | 2.5.4.11 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.292. owner
owner attribute contains the DN of the person responsible for an entry. For example:
owner: cn=John Smith,ou=people,dc=example,dc=com
| OID | 2.5.4.32 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.293. pager
pagerTelephoneNumber, or pager, attribute contains a person's pager phone number.
pagerTelephoneNumber: 415-555-6789 pager: 415-555-6789
| OID | 0.9.2342.19200300.100.1.42 |
| Syntax | TelephoneNumber |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.294. parentOrganization
parentOrganization attribute identifies the parent organization of an organization or organizational unit.
| OID | 1.3.6.1.4.1.1466.101.120.41 |
| Syntax | DN |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape |
5.2.295. personalSignature
personalSignature attribute contains the entry's signature file, in binary format.
personalSignature:: AAAAAA==
| OID | 0.9.2342.19200300.100.1.53 |
| Syntax | Binary |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.296. personalTitle
personalTitle attribute contains a person's honorific, such as Ms., Dr., Prof., and Rev.
personalTitle: Mr.
| OID | 0.9.2342.19200300.100.1.40 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.297. photo
photo attribute contains a photo file, in a binary format.
photo:: AAAAAA==
| OID | 0.9.2342.19200300.100.1.7 |
| Syntax | Binary |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.298. physicalDeliveryOfficeName
physicalDeliveryOffice contains the city or town in which a physical postal delivery office is located.
physicalDeliveryOfficeName: Raleigh
| OID | 2.5.4.19 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.299. postalAddress
postalAddress attribute identifies the entry's mailing address. This field is intended to include multiple lines. When represented in LDIF format, each line should be separated by a dollar sign ($).
\24 and \5c respectively. For example, to represent the string:
The dollar ($) value can be found in the c:\cost file.provide the string:
The dollar (\24) value can be found$in the c:\5ccost file.
| OID | 2.5.4.16 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.300. postalCode
postalCode contains the zip code for an entry located within the United States.
postalCode: 44224
| OID | 2.5.4.17 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.301. postOfficeBox
postOfficeBox attribute contains the postal address number or post office box number for an entry's physical mailing address.
postOfficeBox: 1234
| OID | 2.5.4.18 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.302. preferredDeliveryMethod
preferredDeliveryMethod contains an entry's preferred contact or delivery method. For example:
preferredDeliveryMethod: telephone
| OID | 2.5.4.28 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.303. preferredLanguage
preferredLanguage attribute contains a person's preferred written or spoken language. The value should conform to the syntax for HTTP Accept-Language header values.
| OID | 2.16.840.1.113730.3.1.39 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2798 |
5.2.304. preferredLocale
preferredLocale attribute sets which locale is preferred by a user.
| OID | 1.3.6.1.4.1.1466.101.120.42 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape |
5.2.305. preferredTimeZone
preferredTimeZone attribute sets the time zone to use for the user entry.
| OID | 1.3.6.1.4.1.1466.101.120.43 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Netscape |
5.2.306. presentationAddress
presentationAddress attribute contains the OSI presentation address for an entry. This attribute includes the OSI Network Address and up to three selectors, one each for use by the transport, session, and presentation entities. For example:
presentationAddress: TELEX+00726322+RFC-1006+02+130.59.2.1
| OID | 2.5.4.29 |
| Syntax | IA5String |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2256 |
5.2.307. protocolInformation
protocolInformation attribute, used together with the presentationAddress attribute, provides additional information about the OSO network service.
| OID | 2.5.4.48 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.308. ref
ref attribute is used to support LDAPv3 smart referrals. The value of this attribute is an LDAP URL:
ldap: host_name:port_number/subtree_dn
ref: ldap://server.example.com:389/ou=People,dc=example,dc=com
| OID | 2.16.840.1.113730.3.1.34 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | LDAPv3 Referrals Internet Draft |
5.2.309. registeredAddress
| OID | 2.5.4.26 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.310. roleOccupant
organizationalRole entry.
roleOccupant: uid=bjensen,dc=example,dc=com
| OID | 2.5.4.33 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.311. roomNumber
cn attribute should be used for naming room objects.
roomNumber: 230
| OID | 0.9.2342.19200300.100.1.6 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.312. searchGuide
searchGuide attribute specifies information for suggested search criteria when using the entry as the base object in the directory tree for a search operation. When constructing search filters, use the enhancedSearchGuide attribute instead.
| OID | 2.5.4.14 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.313. secretary
secretary attribute identifies an entry's secretary or administrative assistant.
secretary: cn=John Smith,dc=example,dc=com
| OID | 0.9.2342.19200300.100.1.21 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.314. seeAlso
seeAlso attribute identifies another Directory Server entry that may contain information related to this entry.
seeAlso: cn=Quality Control Inspectors,ou=manufacturing,dc=example,dc=com
| OID | 2.5.4.34 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.315. serialNumber
serialNumber attribute contains the serial number of a device.
serialNumber: 555-1234-AZ
| OID | 2.5.4.5 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.316. serverHostName
serverHostName attribute contains the host name of the server on which the Directory Server is running.
| OID | 2.16.840.1.113730.3.1.76 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in |
Red Hat Administration Services
|
5.2.317. serverProductName
serverProductName attribute contains the name of the server product.
| OID | 2.16.840.1.113730.3.1.71 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in |
Red Hat Administration Services
|
5.2.318. serverRoot
| OID | 2.16.840.1.113730.3.1.70 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Administration Services |
5.2.319. serverVersionNumber
serverVersionNumber attribute contains the server version number.
| OID | 2.16.840.1.113730.3.1.72 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in |
Red Hat Administration Services
|
5.2.320. shadowExpire
shadowExpire attribute contains the date that the shadow account expires. The format of the date is in the number days since EPOCH, in UTC. To calculate this on the system, run a command like the following, using -d for the current date and -u to specify UTC:
$ echo `date -u -d 20100108 +%s` /24/60/60 |bc 14617
shadowExpire.
shadowExpire: 14617
Note
shadowExpire attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.10 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2307 |
5.2.321. shadowFlag
shadowFlag attribute identifies what area in the shadow map stores the flag values.
shadowFlag: 150
Note
shadowFlag attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.11 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2307 |
5.2.322. shadowInactive
shadowInactive attribute sets how long, in days, the shadow account can be inactive.
shadowInactive: 15
Note
shadowInactive attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.9 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2307 |
5.2.323. shadowLastChange
shadowLastChange attribute contains the number of days between January 1, 1970 and the day when the user password was last set. For example, if an account's password was last set on Nov 4, 2016, the shadowLastChange attribute is set to 0
- When the
passwordMustChangeparameter is enabled in thecn=configentry, new accounts have0set in theshadowLastChangeattribute. - When you create an account without password, the
shadowLastChangeattribute is not added.
shadowLastChange attribute is automatically updated for accounts synchronized from Active Directory.
Note
shadowLastChange attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.5 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2307 |
5.2.324. shadowMax
shadowMax attribute sets the maximum number of days that a shadow password is valid.
shadowMax: 10
Note
shadowMax attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.7 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2307 |
5.2.325. shadowMin
shadowMin attribute sets the minimum number of days that must pass between changing the shadow password.
shadowMin: 3
Note
shadowMin attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.6 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2307 |
5.2.326. shadowWarning
shadowWarning attribute sets how may days in advance of password expiration to send a warning to the user.
shadowWarning: 2
Note
shadowWarning attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.8 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2307 |
5.2.327. singleLevelQuality
singleLevelQuality specifies the purported data quality at the level immediately below in the directory tree.
| OID | 0.9.2342.19200300.100.1.50 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 1274 |
5.2.328. sn (surname)
surname, or sn, attribute contains an entry's surname, also called a last name or family name.
surname: Jensen sn: Jensen
| OID | 2.5.4.4 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.329. st (stateOrProvinceName)
stateOrProvinceName, or st, attributes contains the entry's state or province.
stateOrProvinceName: California st: California
| OID | 2.5.4.8 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.330. street
streetAddress, or street, attribute contains an entry's street name and residential address.
streetAddress: 1234 Ridgeway Drive street: 1234 Ridgeway Drive
| OID | 2.5.4.9 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.331. subject
subject attribute contains information about the subject matter of the document entry.
subject: employee option grants
| OID | 0.9.2342.19200300.102.1.8 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Internet White Pages Pilot |
5.2.332. subtreeMaximumQuality
subtreeMaximumQuality attribute specifies the purported maximum data quality for a directory subtree.
| OID | 0.9.2342.19200300.100.1.52 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 1274 |
5.2.333. subtreeMinimumQuality
subtreeMinimumQuality specifies the purported minimum data quality for a directory subtree.
| OID | 0.9.2342.19200300.100.1.51 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 1274 |
5.2.334. supportedAlgorithms
supportedAlgorithms attribute contains algorithms which are requested and stored in a binary form, such as supportedAlgorithms;binary.
supportedAlgorithms:: AAAAAA==
| OID | 2.5.4.52 |
| Syntax | Binary |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.335. supportedApplicationContext
| OID | 2.5.4.30 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.336. telephoneNumber
telephoneNumber contains an entry's phone number. For example:
telephoneNumber: 415-555-2233
| OID | 2.5.4.20 |
| Syntax | TelephoneNumber |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.337. teletexTerminalIdentifier
teletexTerminalIdentifier attribute contains an entry's teletex terminal identifier. The first printable string in the example is the encoding of the first portion of the teletex terminal identifier to be encoded, and the subsequent 0 or more octet strings are subsequent portions of the teletex terminal identifier:
teletex-id = ttx-term 0*("$" ttx-param)
ttx-term = printablestring
ttx-param = ttx-key ":" ttx-value
ttx-key = "graphic" / "control" / "misc" / "page" / "private"
ttx-value = octetstring
| OID | 2.5.4.22 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.338. telexNumber
actual-number "$" country "$" answerback
- actual-number is the syntactic representation of the number portion of the telex number being encoded.
- country is the TELEX country code.
- answerback is the answerback code of a TELEX terminal.
| OID | 2.5.4.21 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.339. title
title attribute contains a person's title within the organization.
title: Senior QC Inspector
| OID | 2.5.4.12 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.340. ttl (TimeToLive)
TimeToLive, or ttl, attribute contains the time, in seconds, that cached information about an entry should be considered valid. Once the specified time has elapsed, the information is considered out of date. A value of zero (0) indicates that the entry should not be cached.
TimeToLive: 120 ttl: 120
| OID | 1.3.6.1.4.250.1.60 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | LDAP Caching Internet Draft |
5.2.341. uid (userID)
userID, more commonly uid, attribute contains the entry's unique user name.
userID: jsmith uid: jsmith
| OID | 0.9.2342.19200300.100.1.1 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.342. uidNumber
uidNumber attribute contains a unique numeric identifier for a user entry. This is analogous to the user number in Unix.
uidNumber: 120
Note
uidNumber attribute is defined in 10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
| OID | 1.3.6.1.1.1.1.0 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2307 |
5.2.343. uniqueIdentifier
uniqueIdentifier:: AAAAAA==
| OID | 0.9.2342.19200300.100.1.44 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.344. uniqueMember
uniqueMember attribute identifies a group of names associated with an entry where each name was given a uniqueIdentifier to ensure its uniqueness. A value for the uniqueMember attribute is a DN followed by the uniqueIdentifier.
| OID | 2.5.4.50 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.345. updatedByDocument
updatedByDocument attribute contains the distinguished name of a document that is an updated version of the document entry.
| OID | 0.9.2342.19200300.102.1.6 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Internet White Pages Pilot |
5.2.346. updatesDocument
updatesDocument attribute contains the distinguished name of a document for which this document is an updated version.
| OID | 0.9.2342.19200300.102.1.5 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Internet White Pages Pilot |
5.2.347. userCertificate
userCertificate;binary.
userCertificate;binary:: AAAAAA==
| OID | 2.5.4.36 |
| Syntax | Binary |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.348. userClass
organizationalStatus attribute makes no distinction between computer users and other types of users users and may be more applicable.
userClass: intern
| OID | 0.9.2342.19200300.100.1.8 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
5.2.349. userPassword
userPassword: {sha}FTSLQhxXpA05| OID | 2.5.4.35 |
| Syntax | Binary |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.350. userPKCS12
userPKCS12;binary. The attribute values are PFX PDUs stored as binary data.
| OID | 2.16.840.1.113730.3.1.216 |
| Syntax | Binary |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2798 |
5.2.351. userSMIMECertificate
userSMIMECertificate attribute contains certificates which can be used by mail clients for S/MIME. This attribute requests and stores data in a binary format. For example:
userSMIMECertificate;binary:: AAAAAA==
| OID | 2.16.840.1.113730.3.1.40 |
| Syntax | Binary |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2798 |
5.2.352. vacationEndDate
| OID | 2.16.840.1.113730.3.1.708 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.353. vacationStartDate
| OID | 2.16.840.1.113730.3.1.707 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Netscape Messaging Server |
5.2.354. x121Address
x121Address attribute contains a user's X.121 address.
| OID | 2.5.4.24 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.2.355. x500UniqueIdentifier
x500UniqueIdentifier:: AAAAAA==
| OID | 2.5.4.45 |
| Syntax | Binary |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2256 |
5.3. Entry Object Class Reference
ldif file. If an object class has a superior object class, both of these object classes with all required attributes must be present in the entry. If required attributes are not listed in the ldif file, than the server will not restart.
Note
5.3.1. account
account object class defines entries for computer accounts. This object class is defined in RFC 1274.
top
0.9.2342.19200300.100.4.5
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes for the entry. |
| uid (userID) | Gives the defined account's user ID. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| host | Gives the host name for the machine on which the account resides. |
| l (localityName) | Gives the city or geographical location of the entry. |
| o (organizationName) | Gives the organization to which the account belongs. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the account belongs. |
| seeAlso | Contains a URL to another entry or site with related information. |
5.3.2. accountpolicy
accountpolicy object class defines entries for account inactivation or expiration policies. This is used for a user directory configuration entry, which works in conjunction with the Account Policy Plug-in configuration.
top
1.3.6.1.4.1.11.1.3.2.2.1
| Attribute | Definition |
|---|---|
| accountInactivityLimit | Sets the period, in seconds, from the last login time of an account before that account is locked for inactivity. |
5.3.3. alias
alias object class points to other directory entries. This object class is defined in RFC 2256.
Note
top
2.5.6.1
| Attribute | Definition |
|---|---|
| objectClass | Defines the object classes for the entry. |
| aliasedObjectName | Gives the distinguished name of the entry for which this entry is an alias. |
5.3.4. bootableDevice
bootableDevice object class points to a device with boot parameters. This object class is defined in RFC 2307.
Note
10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
top
1.3.6.1.1.1.2.12
| Attribute | Definition |
|---|---|
| objectClass | Defines the object classes for the entry. |
| cn (commonName) | Gives the common name of the device. |
| Attribute | Definition |
|---|---|
| bootFile | Gives the boot image file. |
| bootParameter | Gives the parameters used by the boot process for the device. |
| description | Gives a text description of the entry. |
| l (localityName) | Gives the city or geographical location of the entry. |
| o (organizationName) | Gives the organization to which the device belongs. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the device belongs. |
| owner | Gives the DN (distinguished name) of the person responsible for the device. |
| seeAlso | Contains a URL to another entry or site with related information. |
| serialNumber | Contains the serial number of the device. |
5.3.5. cacheObject
cacheObject is an object that contains the time to live (ttl) attribute type. This object class is defined in the LDAP Caching Internet Draft.
top
1.3.6.1.4.1.250.3.18
| Attribute | Definition |
|---|---|
| ttl (TimeToLive) | The time that the object remains (lives) in the cache. |
5.3.6. cosClassicDefinition
cosClassicDefinition object class defines a class of service template entry using the entry's DN (distinguished name), given in the cosTemplateDn attribute, and the value of one of the target attributes, specified in the cosSpecifier attribute.
cosSuperDefinition
2.16.840.1.113730.3.2.100
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cosAttribute | Provides the name of the attribute for which the CoS generates a value. There can be more than one cosAttribute value specified. |
| Attribute | Definition |
|---|---|
| cn (commonName) | Gives the common name of the entry. |
| cosSpecifier | Specifies the attribute value used by a classic CoS, which, along with the template entry's DN, identifies the template entry. |
| cosTemplateDn | Provides the DN of the template entry which is associated with the CoS definition. |
| description | Gives a text description of the entry. |
5.3.7. cosDefinition
cosDefinition object class defines which class of service is being used; this object class provide compatibility with the DS4.1 CoS Plug-in.
top
2.16.840.1.113730.3.2.84
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| Attribute | Definition |
|---|---|
| aci | Evaluates what rights are granted or denied when the Directory Server receives an LDAP request from a client. |
| cn (commonName) | Gives the common name of the entry. |
| cosAttribute | Provides the name of the attribute for which the CoS generates a value. There can be more than one cosAttribute value specified. |
| cosSpecifier | Specifies the attribute value used by a classic CoS, which, along with the template entry's DN, identifies the template entry. |
| cosTargetTree | Defines the subtrees in the directory to which the CoS schema applies. |
| cosTemplateDn | Provides the DN of the template entry which is associated with the CoS definition. |
| uid (userID) | Gives the user ID for the entry. |
5.3.8. cosIndirectDefinition
cosIndirectDefinition defines the template entry using the value of one of the target entry's attributes. The attribute of the target entry is specified in the cosIndirectSpecifier attribute.
cosSuperDefinition
2.16.840.1.113730.3.2.102
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cosAttribute | Provides the name of the attribute for which the CoS generates a value. There can be more than one cosAttribute value specified. |
| Attribute | Definition |
|---|---|
| cn (commonName) | Gives the common name of the entry. |
| cosIndirectSpecifier | Specifies the attribute value used by an indirect CoS to identify the template entry. |
| description | Gives a text description of the entry. |
5.3.9. cosPointerDefinition
cosSuperDefinition
2.16.840.1.113730.3.2.101
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cosAttribute | Provides the name of the attribute for which the CoS generates a value. There can be more than one cosAttribute value specified. |
| Attribute | Definition |
|---|---|
| cn (commonName) | Gives the common name of the entry. |
| cosTemplateDn | Provides the DN of the template entry which is associated with the CoS definition. |
| description | Gives a text description of the entry. |
5.3.10. cosSuperDefinition
cosSuperDefinition object class.
LDAPsubentry
2.16.840.1.113730.3.2.99
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cosAttribute | Provides the name of the attribute for which the CoS generates a value. There can be more than one cosAttribute value specified. |
| Attribute | Definition |
|---|---|
| cn (commonName) | Gives the common name of the entry. |
| description | Gives a text description of the entry. |
5.3.11. cosTemplate
cosTemplate object class contains a list of the shared attribute values for the CoS.
top
2.16.840.1.113730.3.2.128
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| Attribute | Definition |
|---|---|
| cn (commonName) | Gives the common name of the entry. |
| cosPriority | Specifies which template provides the attribute value when CoS templates compete to provide an attribute value. |
5.3.12. country
country object class defines entries which represent countries. This object class is defined in RFC 2256.
top
2.5.6.2
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| c (countryName) | Contains the two-character code representing country names, as defined by ISO, in the directory. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| searchGuide | Specifies information for suggested search criteria when using the entry as the base object in the directory tree for a search. |
5.3.13. dcObject
dcObject object class allows domain components to be defined for an entry. This object class is defined as auxiliary because it is commonly used in combination with another object class, such as o (organization), ou (organizationalUnit), or l (locality).
dn: dc=example,dc=com objectClass: top objectClass: organizationalUnit objectClass: dcObject dc: example ou: Example Corporation
top
1.3.6.1.4.1.1466.344
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| dc (domainComponent) | Contains one component of a domain name. |
5.3.14. device
device object class stores information about network devices, such as printers, in the directory. This object class is defined in RFC 2247.
top
2.5.6.14
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the device. |
| cn (commonName) | Gives the common name of the device. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| l (localityName) | Gives the city or geographical location of the entry. |
| o (organizationName) | Gives the organization to which the device belongs. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the device belongs. |
| owner | Gives the DN (distinguished name) of the person responsible for the device. |
| seeAlso | Contains a URL to another entry or site with related information. |
| serialNumber | Contains the serial number of the device. |
5.3.15. document
document object class defines directory entries that represent documents. RFC 1247.
top
0.9.2342.19200300.100.4.6
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| documentIdentifier | Gives the unique ID for the document. |
| Attribute | Definition |
|---|---|
| abstract | Contains the abstract for the document. |
| audio | Stores a sound file in binary format. |
| authorCn | Gives the author's common name or given name. |
| authorSn | Gives the author's surname. |
| cn (commonName) | Gives the common name of the entry. |
| description | Gives a text description of the entry. |
| dITRedirect | Contains the DN (distinguished name) of the entry to use as a redirect for the document entry. |
| documentAuthor | Contains the DN (distinguished name) of the author. |
| documentLocation | Gives the location of the original document. |
| documentPublisher | Identifies the person or organization that published the document. |
| documentStore | |
| documentTitle | Contains the title of the document. |
| documentVersion | Gives the version number of the document. |
| info | Contains information about the document. |
| jpegPhoto | Stores a JPG image. |
| keyWords | Contains keywords related to the document. |
| l (localityName) | Gives the city or geographical location of the entry. |
| lastModifiedBy | Gives the DN (distinguished name) of the last user which modified the document entry. |
| lastModifiedTime | Gives the time of the last modification. |
| manager | Gives the DN (distinguished name) of the entry's manager. |
| o (organizationName) | Gives the organization to which the document belongs. |
| obsoletedByDocument | Gives the DN (distinguished name) of another document entry which obsoletes this document. |
| obsoletesDocument | Gives the DN (distinguished name) of another document entry which is obsoleted by this document. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the document belongs. |
| photo | Stores a photo of the document in binary format. |
| seeAlso | Contains a URL to another entry or site with related information. |
| subject | Describes the subject of the document. |
| uniqueIdentifier | Distinguishes between two entries when a distinguished name has been reused. |
| updatedByDocument | Gives the DN (distinguished name) of another document entry which updates this document. |
| updatesDocument | Gives the DN (distinguished name) of another document entry which is updated by this document. |
5.3.16. documentSeries
documentSeries object class defines an entry that represents a series of documents. This object class is defined in RFC 1274.
top
0.9.2342.19200300.100.4.9
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| l (localityName) | Gives the place where the document series is physically located. |
| o (organizationName) | Gives the organization to which the document series belongs. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the series belongs. |
| seeAlso | Contains a URL to another entry or site with related information. |
| telephoneNumber | Gives the telephone number of the person responsible for the document series. |
5.3.17. domain
domain object class defines directory entries that represent DNS domains. Use the dc (domainComponent) attribute to name entries of this object class.
example.com.
domain object class can only be used for a directory entry which does not correspond to an organization, organizational unit, or any other object which has an object class defined for it. object for which an object class has been defined.
top
0.9.2342.19200300.100.4.13
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| dc (domainComponent) | Contains one component of a domain name. |
| Attribute | Definition |
|---|---|
| associatedName | Gives the name of an entry within the organizational directory tree which is associated with a DNS domain. |
| businessCategory | Gives the type of business in which this domain is engaged. |
| description | Gives a text description of the entry. |
| destinationIndicator | Gives the country and city associated with the entry; this was once required to provide public telegram service. |
| fax (facsimileTelephoneNumber) | Gives the fax number for the domain. |
| internationalISDNNumber | Gives the ISDN number for the domain. |
| l (localityName) | Gives the city or geographical location of the entry. |
| o (organizationName) | Gives the organization to which the entry belongs. |
| physicalDeliveryOfficeName | Gives a location where physical deliveries can be made. |
| postOfficeBox | Gives the post office box number for the domain. |
| postalAddress | Contains the mailing address for the domain. |
| postalCode | Gives the postal code for the domain, such as the zip code in the United States. |
| preferredDeliveryMethod | Shows the person's preferred method of contact or message delivery. |
| registeredAddress | Gives a postal address suitable to receive expedited documents when the recipient must verify delivery. |
| searchGuide | Specifies information for suggested search criteria when using the entry as the base object in the directory tree for a search. |
| seeAlso | Contains a URL to another entry or site with related information. |
| st (stateOrProvinceName) | Gives the state or province where the domain is located. |
| street | Gives the street name and address number for the domain's physical location. |
| telephoneNumber | Gives the phone number for the domain. |
| teletexTerminalIdentifier | Gives the ID for a domain's teletex terminal. |
| telexNumber | Gives the telex number for the domain. |
| userPassword | Stores the password with which the entry can bind to the directory. |
| x121Address | Gives the X.121 address for the domain. |
5.3.18. domainRelatedObject
domainRelatedObject object class defines entries that represent DNS or NRS domains which are equivalent to an X.500 domain, such as an organization or organizational unit.
top
0.9.2342.19200300.100.4.17
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| associatedDomain | Specifies a DNS domain associated with an object in the directory tree. |
5.3.19. dSA
dSA object class defines entries that represent DSAs.
top
2.5.6.13
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| presentationAddress | Contains the entry's OSI presentation address. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| knowledgeInformation | |
| l (localityName) | Gives the city or geographical location of the entry. |
| o (organizationName) | Gives the organization to which the entry belongs. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the entry belongs. |
| seeAlso | Contains a URL to another entry or site with related information. |
| supportedApplicationContext | Contains the identifiers of OSI application contexts. |
5.3.20. extensibleObject
extensibleObject permits the entry to hold optionally any attribute. The allowed attribute list of this class is implicitly the set of all attributes known to the server.
top
1.3.6.1.4.1.1466.101.120.111
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
All attributes known to the server.
5.3.21. friendlyCountry
friendlyCountry object class defines country entries within the directory. This object class allows more friendly names than the country object class.
top
0.9.2342.19200300.100.4.18
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| co (friendlyCountryName) | Stores the human-readable country name. |
| c (countryName) | Contains the two-character code representing country names, as defined by ISO, in the directory. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| searchGuide | Specifies information for suggested search criteria when using the entry as the base object in the directory tree for a search. |
5.3.22. groupOfCertificates
groupOfCertificates object class describes a set of X.509 certificates. Any certificate that matches one of the memberCertificateDescription values is considered a member of the group.
top
2.16.840.1.113730.3.2.31
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| businessCategory | Gives the type of business in which the group is engaged. |
| description | Gives a text description of the entry. |
| memberCertificateDescription | Contains the values used to determine if a particular certificate is a member of this group. |
| o (organizationName) | Gives the organization to which the entry belongs. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the entry belongs. |
| owner | Contains the DN (distinguished name) of the person responsible for the group. |
| seeAlso | Contains a URL to another entry or site with related information. |
5.3.23. groupOfMailEnhancedUniqueNames
groupOfMailEnhancedUniqueNames object class is used for a mail group which must have unique members. This object class is defined for Netscape Messaging Server.
top
2.16.840.1.113730.3.2.5
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| businessCategory | Gives the type of business in which the group is engaged. |
| description | Gives a text description of the entry. |
| mailEnhancedUniqueMember | Contains a unique DN value to identify a member of the mail group. |
| o (organizationName) | Gives the organization to which the entry belongs. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the entry belongs. |
| owner | Contains the DN (distinguished name) of the person responsible for the group. |
| seeAlso | Contains a URL to another entry or site with related information. |
5.3.24. groupOfNames
groupOfNames object class contains entries for a group of names. This object class is defined in RFC 2256.
Note
top
2.5.6.9
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| businessCategory | Gives the type of business in which the entry is engaged. |
| description | Gives a text description of the entry. |
| member | Contains the DN (distinguished name) of a group member. |
| o (organizationName) | Gives the organization to which the entry belongs. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the entry belongs. |
| owner | Contains the DN (distinguished name) of the person responsible for the group. |
| seeAlso | Contains a URL to another entry or site with related information. |
5.3.25. groupOfUniqueNames
groupOfUniqueNames object class defines a group which contains unique names.
Note
top
2.5.6.17
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| businessCategory | Gives the type of business in which the entry is engaged. |
| description | Gives a text description of the entry. |
| o (organizationName) | Gives the organization to which the entry belongs. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the entry belongs. |
| owner | Contains the DN (distinguished name) of the person responsible for the group. |
| seeAlso | Contains a URL to another entry or site with related information. |
| uniqueMember | Contains the DN (distinguished name) of a member of the group; this DN must be unique. |
5.3.26. groupOfURLs
groupOfURLs object class is an auxiliary object class for the groupOfUniqueNames and groupOfNames object classes. This group consists of a list of labeled URLs.
top
2.16.840.1.113730.3.2.33
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| businessCategory | Gives the type of business in which the group is engaged. |
| description | Gives a text description of the entry. |
| memberURL | Contains a URL associated with each member of the group. |
| o (organizationName) | Gives the organization to which the entry belongs. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the entry belongs. |
| owner | Contains the DN (distinguished name) of the person responsible for the group. |
| seeAlso | Contains a URL to another entry or site with related information. |
5.3.27. ieee802Device
ieee802Device object class points to a device with a MAC address. This object class is defined in RFC 2307.
Note
10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
top
1.3.6.1.1.1.2.11
| Attribute | Definition |
|---|---|
| objectClass | Defines the object classes for the entry. |
| cn (commonName) | Gives the common name of the device. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| l (localityName) | Gives the city or geographical location of the entry. |
| macAddress | Gives the MAC address of the device. |
| o (organizationName) | Gives the organization to which the device belongs. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the device belongs. |
| owner | Gives the DN (distinguished name) of the person responsible for the device. |
| seeAlso | Contains a URL to another entry or site with related information. |
| serialNumber | Contains the serial number of the device. |
5.3.28. inetAdmin
inetAdmin object class is a marker for an administrative group or user. This object class is defined for the Netscape Delegated Administrator.
top
2.16.840.1.113730.3.2.112
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
5.3.29. inetDomain
inetDomain object class is a auxiliary class for virtual domain nodes. This object class is defined for the Netscape Delegated Administrator.
top
2.16.840.1.113730.3.2.129
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| Attribute | Definition |
|---|---|
| inetDomainBaseDN | Defines the base DN of the user subtree for a DNS domain. |
| inetDomainStatus | Gives the status of the domain. The status can be active, inactive, or deleted. |
5.3.30. inetOrgPerson
inetOrgPerson object class defines entries representing people in an organization's enterprise network. This object class inherits the cn (commonName) and sn (surname) attributes from the person object class.
person
2.16.840.1.113730.3.2.2
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| sn (surname) | Gives the person's family name or last name. |
| Attribute | Definition |
|---|---|
| audio | Stores a sound file in binary format. |
| businessCategory | Gives the type of business in which the entry is engaged. |
| carLicense | Gives the license plate number of the person's vehicle. |
| departmentNumber | Gives the department for which the person works. |
| description | Gives a text description of the entry. |
| destinationIndicator | Gives the country and city associated with the entry; this was once required to provide public telegram service. |
| displayName | Shows the preferred name of a person to use when displaying entries. |
| employeeNumber | Contains the person's employee number. |
| employeeType | Shows the person's type of employment (for example, full time). |
| fax (facsimileTelephoneNumber) | Contains the person's fax number. |
| givenName | Contains the person's first name. |
| homePhone | Gives the person's home phone number. |
| homePostalAddress | Gives the person's home mailing address. |
| initials | Gives the person's initials. |
| internationalISDNNumber | Contains the ISDN number for the entry. |
| jpegPhoto | Stores a JPG image. |
| l (localityName) | Gives the city or geographical location of the entry. |
| labeledURI | Contains a URL which is relevant to the entry. |
| Contains the person's email address. | |
| manager | Contains the DN (distinguished name) of the direct supervisor of the person entry. |
| mobile | Gives the person's mobile phone number. |
| o (organizationName) | Gives the organization to which the entry belongs. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the entry belongs. |
| pager | Gives the person's pager number. |
| photo | Stores a photo of a person, in binary format. |
| physicalDeliveryOfficeName | Gives a location where physical deliveries can be made. |
| postOfficeBox | Gives the post office box number for the entry. |
| postalAddress | Contains the mailing address for the entry. |
| postalCode | Gives the postal code for the entry, such as the zip code in the United States. |
| preferredDeliveryMethod | Shows the person's preferred method of contact or message delivery. |
| preferredLanguage | Gives the person's preferred written or spoken language. |
| registeredAddress | Gives a postal address suitable to receive expedited documents when the recipient must verify delivery. |
| roomNumber | Gives the room number where the person is located. |
| secretary | Contains the DN (distinguished name) of the person's secretary or administrative assistant. |
| seeAlso | Contains a URL to another entry or site with related information. |
| st (stateOrProvinceName) | Gives the state or province where the entry is located. |
| street | Gives the street name and number for the person's physical location. |
| telephoneNumber | Gives the telephone number for the entry. |
| teletexTerminalIdentifier | Gives the identifier for the person's teletex terminal. |
| telexNumber | Gives the telex number associated with the entry. |
| title | Shows the person's job title. |
| uid (userID) | Contains the person's user ID (usually his logon ID). |
| userCertificate | Stores a user's certificate in cleartext (not used). |
| userPassword | Stores the password with which the entry can bind to the directory. |
| userSMIMECertificate | Stores the person's certificate in binary form so it can be used by S/MIME clients. |
| x121Address | Gives the X.121 address for the person. |
| x500UniqueIdentifier | Reserved for future use. |
5.3.31. inetSubscriber
inetSubscriber object class is used for general user account management. This object class is defined for the Netscape subscriber interoperability.
top
2.16.840.1.113730.3.2.134
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| Attribute | Definition |
|---|---|
| inetSubscriberAccountId | Contains a unique attribute linking the subscriber to a billing system. |
| inetSubscriberChallenge | Contains some kind of question or prompt, the challenge phrase, which is used to confirm the identity of the user. |
| inetSubscriberResponse | Contains the answer to the challenge question. |
5.3.32. inetUser
inetUser object class is an auxiliary class which must be present in an entry in order to deliver subscriber services. This object class is defined for the Netscape subscriber interoperability.
top
2.16.840.1.113730.3.2.130
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| Attribute | Definition |
|---|---|
| inetUserHttpURL | Contains web addresses associated with the user. |
| inetUserStatus | Gives the status of the user. The status can be active, inactive, or deleted. |
| memberOf | Contains a group name to which the user belongs. This is dynamically managed by the MemberOf Plug-in. |
| uid (userID) | Contains the person's user ID (usually his logon ID). |
| userPassword | Stores the password with which the user can use to access the user account. |
5.3.33. ipHost
ipHost object class stores IP information about a host. This object class is defined in RFC 2307.
Note
10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
top
1.3.6.1.1.1.2.6
| Attribute | Definition |
|---|---|
| objectClass | Defines the object classes for the entry. |
| cn (commonName) | Gives the common name of the device. |
| ipHostNumber | Contains the IP address of the device or host. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| l (localityName) | Gives the city or geographical location of the entry. |
| manager | Contains the DN (distinguished name) of the maintainer or supervisor of the entry. |
| o (organizationName) | Gives the organization to which the device belongs. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the device belongs. |
| owner | Gives the DN (distinguished name) of the person responsible for the device. |
| seeAlso | Contains a URL to another entry or site with related information. |
| serialNumber | Contains the serial number of the device. |
5.3.34. ipNetwork
ipNetwork object class stores IP information about a network. This object class is defined in RFC 2307.
Note
10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
top
1.3.6.1.1.1.2.7
| Attribute | Definition |
|---|---|
| objectClass | Defines the object classes for the entry. |
| cn (commonName) | Gives the common name of the device. |
| ipNetworkNumber | Contains the IP number for the network. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| l (localityName) | Gives the city or geographical location of the entry. |
| manager | Contains the DN (distinguished name) of the maintainer or supervisor of the entry. |
| ipNetmaskNumber | Contains the IP netmask for the network. |
5.3.35. ipProtocol
ipProtocol object class shows the IP protocol version. This object class is defined in RFC 2307.
Note
10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
top
1.3.6.1.1.1.2.4
| Attribute | Definition |
|---|---|
| objectClass | Defines the object classes for the entry. |
| cn (commonName) | Gives the common name of the device. |
| ipProtocolNumber | Contains the IP protocol number for the network. |
5.3.36. ipService
ipService object class stores information about the IP service. This object class is defined in RFC 2307.
Note
10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
top
1.3.6.1.1.1.2.3
| Attribute | Definition |
|---|---|
| objectClass | Defines the object classes for the entry. |
| cn (commonName) | Gives the common name of the device. |
| ipServicePort | Gives the port number used by the IP service. |
| ipServiceProtocol | Contains the IP protocol number for the service. |
5.3.37. labeledURIObject
top
1.3.6.1.4.1.250.3.15
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| Attribute | Definition |
|---|---|
| labeledURI | Gives a URI which is relevant to the entry's object. |
5.3.38. locality
locality object class defines entries that represent localities or geographic areas.
top
2.5.6.3
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| l (localityName) | Gives the city or geographical location of the entry. |
| searchGuide | Specifies information for suggested search criteria when using the entry as the base object in the directory tree for a search. |
| seeAlso | Contains a URL to another entry or site with related information. |
| st (stateOrProvinceName) | Gives the state or province associated with the locality. |
| street | Gives a street and number associated with the locality. |
5.3.39. mailGroup
mailGroup object class defines the mail attributes for a group. This object is defined in the schema for the Netscape Messaging Server.
top
2.16.840.1.113730.3.2.4
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| Attribute | Definition |
|---|---|
| cn (commonName) | Gives the common name of the entry. |
| Stores email addresses for the group. | |
| mailAlternateAddress | Contains secondary email addresses for the group. |
| mailHost | Contains the host name of the mail server. |
| owner | Contains the DN (distinguished name) of the person responsible for the group. |
5.3.40. mailRecipient
mailRecipient object class defines a mail account for a user. This object is defined in the schema for the Netscape Messaging Server.
top
2.16.840.1.113730.3.2.3
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| Attribute | Definition |
|---|---|
| cn (commonName) | Gives the common name of the entry. |
| Stores email addresses for the group. | |
| mailAccessDomain | Contains the domain from which the user can access the messaging server. |
| mailAlternateAddress | Contains secondary email addresses for the group. |
| mailAutoReplyMode | Specifies whether autoreply mode for the account is enabled. |
| mailAutoReplyText | Contains the text use for automatic reply emails. |
| mailDeliveryOption | Specifies the mail delivery mechanism to be used for the mail user. |
| mailForwardingAddress | Specifies the mail delivery mechanism to use for the mail user. |
| mailHost | Contains the host name of the mail server. |
| mailMessageStore | Specifies the location of the user's mail box. |
| mailProgramDeliveryInfo | Specifies the commands used for programmed mail delivery. |
| mailQuota | Specifies the disk space allowed for the user's mail box. |
| mailRoutingAddress | Contains a routing address to use when forwarding the mail from this entry's account to another messaging server. |
| multiLineDescription | Contains a text description of the entry which spans more than one line. |
| uid (userID) | Gives the defined account's user ID. |
| userPassword | Stores the password with which the entry can access the account. |
5.3.41. mepManagedEntry
mepManagedEntry object class identifies an entry which was been generated by an instance of the Managed Entries Plug-in. This object class is defined in Directory Server.
top
2.16.840.1.113730.3.2.319
| Attribute | Definition |
|---|---|
| mepManagedBy | Gives the DN of the originating entry which corresponds to the managed entry. |
5.3.42. mepOriginEntry
mepOriginEntry object class identifies an entry which is within a subtree that is monitored by an instance of the Managed Entries Plug-in and which has had a managed entry created by the plug-in, for which this is the originating entry. This object class is defined in Directory Server.
top
2.16.840.1.113730.3.2.320
| Attribute | Definition |
|---|---|
| mepManagedEntry | Gives the DN of the managed entry entry which was created by the Managed Entries Plug-in instance and which corresponds to this originating entry. |
5.3.43. mepTemplateEntry
mepTemplateEntry object class identifies an entry which is used as a template by an instance of the Managed Entries Plug-in to create the managed entries. This object class is defined in Directory Server.
top
2.16.840.1.113730.3.2.321
| Attribute | Definition |
|---|---|
| cn (commonName) | Gives the common name of the entry. |
| mepMappedAttr | Contains an attribute-token pair that the plug-in uses to create an attribute in the managed entry with a value taken from the originating entry. |
| mepRDNAttr | Specifies which attribute to use as the naming attribute in the managed entry. |
| mepStaticAttr | Contains an attribute-value pair that will be used, with that specified value, in the managed entry. |
5.3.44. netscapeCertificateServer
netscapeCertificateServer object class stores information about a Netscape certificate server. This object is defined in the schema for the Netscape Certificate Management System.
top
2.16.840.1.113730.3.2.18
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
5.3.45. netscapeDirectoryServer
netscapeDirectoryServer object class stores information about a Directory Server instance. This object is defined in the schema for the Netscape Directory Server.
top
2.16.840.1.113730.3.2.23
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
5.3.46. NetscapeLinkedOrganization
NetscapeLinkedOrganization is an auxiliary object class. This object is defined in the schema for the Netscape server suite.
top
1.3.6.1.4.1.1466.101.120.141
| Attribute | Definition |
|---|---|
| parentOrganization | Identifies the parent organization for the linked organization defined for the server suite. |
5.3.47. netscapeMachineData
netscapeMachineData object class distinguishes between machine data and non-machine data. This object is defined in the schema for the Netscape Directory Server.
top
2.16.840.1.113730.3.2.32
5.3.48. NetscapePreferences
NetscapePreferences is an auxiliary object class which stores the user preferences. This object is defined by Netscape.
top
1.3.6.1.4.1.1466.101.120.142
| Attribute | Definition |
|---|---|
| preferredLanguage | Gives the person's preferred written or spoken language. |
| preferredLocale | Gives the person's preferred locale. A locale setting defines cultural or national settings like date formats and currencies. |
| preferredTimeZone | Gives the person's preferred time zone. |
5.3.49. netscapeReversiblePasswordObject
netscapeReversiblePasswordObject is an auxiliary object class to store a password. This object is defined in the schema for the Netscape Web Server.
top
2.16.840.1.113730.3.2.154
| Attribute | Definition |
|---|---|
| netscapeReversiblePassword | Contains a password used for HTTP Digest/MD5 authentication. |
5.3.50. netscapeServer
netscapeServer object class contains instance-specific information about a Netscape server and its installation.
top
2.16.840.1.113730.3.2.10
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| administratorContactInfo | Contains the contact information for the server administrator. |
| adminUrl | Contains the URL for the Admin Server used by the instance. |
| description | Gives a text description of the entry. |
| installationTimeStamp | Contains the time that the server instance was installed. |
| serverHostName | Contains the host name of the server on which the Directory Server instance is running. |
| serverProductName | Contains the product name of the server type. |
| serverRoot | Specifies the top directory where the server product is installed. |
| serverVersionNumber | Contains the product version number. |
| userPassword | Stores the password with which the entry can bind to the directory. |
5.3.51. netscapeWebServer
netscapeWebServer object class identifies an installed Netscape Web Server.
top
2.16.840.1.113730.3.2.29
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| nsServerID | Contains the server's name or ID. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| nsServerPort | Contains the server's port number. |
5.3.52. newPilotPerson
newPilotPerson object class is a subclass of the person to allow additional attributes to be assigned to entries of the person object class. This object class inherits the cn (commonName) and sn (surname) attributes from the person object class.
person
0.9.2342.19200300.100.4.4
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| sn (surname) | Gives the person's family name or last name. |
| Attribute | Definition |
|---|---|
| businessCategory | Gives the type of business in which the entry is engaged. |
| description | Gives a text description of the entry. |
| drink (favouriteDrink) | Gives the person's favorite drink. |
| homePhone | Gives the person's home phone number. |
| homePostalAddress | Gives the person's home mailing address. |
| janetMailbox | Gives the person's email address; this is primarily for use in Great Britain or organizations which do no use RFC 822 mail addresses. |
| Contains the person's email address. | |
| mailPreferenceOption | Indicates the user's preference for including his name on mailing lists (electronic or physical). |
| mobile | Gives the person's mobile phone number. |
| organizationalStatus | Gives the common job category for a person's function. |
| otherMailbox | Contains values for electronic mailbox types other than X.400 and RFC 822. |
| pager | Gives the person's pager number. |
| personalSignature | Contains the person's signature file. |
| personalTitle | Gives the person's honorific. |
| preferredDeliveryMethod | Shows the person's preferred method of contact or message delivery. |
| roomNumber | Gives the room number where the person is located. |
| secretary | Contains the DN (distinguished name) of the person's secretary or administrative assistant. |
| seeAlso | Contains a URL to another entry or site with related information. |
| telephoneNumber | Gives the telephone number for the entry. |
| uid (userID) | Contains the person's user ID (usually his logon ID). |
| userClass | Describes the type of computer user this entry is. |
| userPassword | Stores the password with which the entry can bind to the directory. |
5.3.53. nisMap
Note
10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
top
1.3.6.1.1.1.2.13
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| nisMapName | Contains the NIS map name. |
5.3.54. nisNetgroup
Note
10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
top
1.3.6.1.1.1.2.8
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| memberNisNetgroup | Merges the attribute values of another netgroup into the current one by listing the name of the merging netgroup. |
| nisNetgroupTriple | Contains a user name (,bobby,example.com) or a machine name (shellserver1,,example.com). |
5.3.55. nisObject
Note
10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
top
1.3.6.1.1.1.2.10
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| nisMapEntry | Identifies the NIS map entry. |
| nisMapName | Contains the name of the NIS map. |
5.3.56. nsAdminConfig
nsConfig
nsAdminConfig-oid
| Attribute | Definition |
|---|---|
| nsAdminAccessAddresses | Identifies the Admin Server IP addresses. |
| nsAdminAccessHosts | Contains the Admin Server host name or a list of Admin Server host names. |
| nsAdminCacheLifetime | Notes the length of the cache timeout period. |
| nsAdminCgiWaitPid | Contains the PID of the CGI process the server is waiting for. |
| nsAdminEnableEnduser | Sets whether to allow or disallow end user access to the Admin Server web services pages. |
| nsAdminOneACLDir | Contains the path of the local ACL directory for the Admin Server. |
| nsAdminUsers | Points to the file which contains the admin user info. |
5.3.57. nsAdminConsoleUser
top
nsAdminConsoleUser-oid
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| nsPreference | Stores preference information for console settings. |
5.3.58. nsAdminDomain
organizationalUnit
nsAdminDomain-oid
| Attribute | Definition |
|---|---|
| nsAdminDomainName | Identifies the administration domain for the servers. |
5.3.59. nsAdminGlobalParameters
top
nsAdminGlobalParameters-oid
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| nsAdminEndUserHTMLIndex | Sets whether to allow or disallow end-user access to the HTML index pages. |
| nsNickName | Gives the nickname for the application. |
5.3.60. nsAdminGroup
top
nsAdminGroup-oid
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| nsAdminGroupName | Contains the name for the admin group. |
| nsAdminSIEDN | Shows the DN of the server instance entry (SIE) for the Admin Server instance. |
| nsConfigRoot | Gives the full path to the Admin Server instance's configuration directory. |
5.3.61. nsAdminObject
top
nsAdminObject-oid
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| nsClassName | Contains the class name associated with the task or resource editor for the Admin Server. |
| nsJarfilename | Gives the name of the JAR file used by the Admin Server Console to access the object. |
5.3.62. nsAdminResourceEditorExtension
nsAdminObject
nsAdminResourceEditorExtension-oid
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| nsAdminAccountInfo | Contains information about the Admin Server account. |
| nsDeleteclassname | Contains the name of a class to be deleted. |
5.3.63. nsAdminServer
top
nsAdminServer-oid
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| nsServerID | Contains the Directory Server ID, such as slapd-example. |
5.3.64. nsAIMpresence
nsAIMpresence is an auxiliary object class which defines the status of an AOL instance messaging account. This object is defined for the Directory Server.
top
2.16.840.1.113730.3.2.300
| Attribute | Definition |
|---|---|
| nsAIMid | Contains the AIM user ID for the entry. |
| nsAIMStatusGraphic | Contains a pointer to the graphic image which indicates the AIM account's status. |
| nsAIMStatusText | Contains the text to indicate the AIM account's status. |
5.3.65. nsApplication
nsApplication defines an application or server entry. This is defined by Netscape.
top
nsApplication-oid
| Attribute | Definition |
|---|---|
| objectClass | Defines the object classes for the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| installationTimeStamp | Contains the time that the server instance was installed. |
| nsBuildNumber | Contains the build number for the server instance. |
| nsBuildSecurity | Contains the level of security used to make the build. |
| nsExpirationDate | Contains the date that the license for the application expires. |
| nsInstalledLocation | For servers which are version 7.1 or older, shows the installation directory for the server. |
| nsLdapSchemaVersion | Gives the version of the LDAP schema files used by the Directory Server. |
| nsNickName | Gives the nickname for the application. |
| nsProductName | Gives the name of the server product. |
| nsProductVersion | Shows the version number of the server product. |
| nsRevisionNumber | Contains the revision number (minor version) for the product. |
| nsSerialNumber | Gives the serial number assigned to the server product. |
| nsServerMigrationClassname | Gives the class to use to migrate a server instance. |
| nsServerCreationClassname | Gives the class to use to create a server instance. |
| nsVendor | Contains the name of the vendor who designed the server. |
5.3.66. nsCertificateServer
nsCertificateServer object class stores information about a Red Hat Certificate System instance. This object is defined in the schema for the Certificate System.
top
nsCertificateServer-oid
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| nsServerID | Contains the server's name or ID. |
| Attribute | Definition |
|---|---|
| nsCertConfig | Contains configuration settings for a Red Hat Certificate System instance. |
| nsServerPort | Contains the server's port number. |
| serverHostName | Contains the host name of the server on which the Directory Server instance is running. |
5.3.67. nsComplexRoleDefinition
nsRoleDefinition
2.16.840.1.113730.3.2.95
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| Attribute | Definition |
|---|---|
| cn (commonName) | Gives the common name of the entry. |
| description | Gives a text description of the entry. |
5.3.68. nsContainer
nsContainer object class.
top
2.16.840.1.113730.3.2.104
|
Attribute
|
Definition
|
|---|---|
| objectClass |
Defines the object classes for the entry.
|
| cn |
Gives the common name of the entry.
|
5.3.69. nsCustomView
nsCustomView object class defines information about custom views of the Directory Server data in the Directory Server Console. This is defined for Administration Services.
nsAdminObject
nsCustomView-oid
| Attribute | Definition |
|---|---|
| nsDisplayName | Contains the name of the custom view setting profile. |
5.3.70. nsDefaultObjectClasses
nsDefaultObjectClasses sets default object classes to use when creating a new object of a certain type within the directory. This is defined for Administration Services.
top
nsDefaultObjectClasses-oid
| Attribute | Definition |
|---|---|
| objectClass | Defines the object classes for the entry. |
| cn (commonName) | Gives the common name of the device. |
| Attribute | Definition |
|---|---|
| nsDefaultObjectClass | Contains an object class to assign by default to an object type. |
5.3.71. nsDirectoryInfo
nsDirectoryInfo contains information about a directory instance. This is defined for Administration Services.
top
nsDirectoryInfo-oid
| Attribute | Definition |
|---|---|
| objectClass | Defines the object classes for the entry. |
| cn (commonName) | Gives the common name of the device. |
| Attribute | Definition |
|---|---|
| nsBindDN | Contains the bind DN defined for the server in its server instance entry. |
| nsBindPassword | Contains the password for the bind identity in the SIE. |
| nsDirectoryFailoverList | Contains a list of URLs of other Directory Server instances to use for failover support if the instance in nsDirectoryURL is unavailable. |
| nsDirectoryInfoRef | Contains a reference to a distinguished name (DN) in the directory. |
| nsDirectoryURL | Contains a URL to access the Directory Server instance. |
5.3.72. nsDirectoryServer
nsDirectoryServer is the defining object class for a Directory Server instance. This is defined for the Directory Server.
top
nsDirectoryServer-oid
| Attribute | Definition |
|---|---|
| objectClass | Defines the object classes for the entry. |
| nsServerID | Contains the server's name or ID. |
| Attribute | Definition |
|---|---|
| nsBaseDN | Contains the base DN for the server instance. |
| nsBindDN | Contains the bind DN defined for the server in its server instance entry. |
| nsBindPassword | Contains the password for the bind identity in the SIE. |
| nsSecureServerPort | Contains the server's SSL/TLS port number. |
| nsServerPort | Contains the server's port number. |
| serverHostName | Contains the host name of the server on which the Directory Server instance is running. |
5.3.73. nsFilteredRoleDefinition
nsFilteredRoleDefinition object class defines how entries are assigned to the role, depending upon the attributes contained by each entry.
nsComplexRoleDefinition
2.16.840.1.113730.3.2.97
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| nsRoleFilter | Specifies the filter used to identify entries in the filtered role. |
| Attribute | Definition |
|---|---|
| cn (commonName) | Gives the common name of the entry. |
| description | Gives a text description of the entry. |
5.3.74. nsGlobalParameters
nsGlobalParameters object class contains global preference settings.
top
nsGlobalParameters-oid
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| nsGroupRDNComponent | Defines the default attribute type used in the RDN of the group entry. |
| nsUniqueAttribute | Defines a unique attribute in the preferences. |
| nsUserIDFormat | Sets the format to generate the user ID from the givenname and sn attributes. |
| nsUserRDNComponent | Sets the attribute type to use as the naming component in the user DN. |
| nsNYR | Not used. |
| nsWellKnownJarfiles | Not used. |
5.3.75. nsHost
nsHost object class stores information about the server host.
top
nsHost-oid
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| l (localityName) | Gives the city or geographical location of the entry. |
| nsHardwarePlatform | Identifies the hardware platform for the host on which the Directory Server instance is running. This is the same information as running uname -m. |
| nsHostLocation | Gives the location of the server host. |
| nsOsVersion | Contains the operating system version of the server host. |
| serverHostName | Contains the host name of the server on which the Directory Server instance is running. |
5.3.76. nsICQpresence
nsICQpresence is an auxiliary object class which defines the status of an ICQ messaging account. This object is defined for the Directory Server.
top
2.16.840.1.113730.3.2.301
| Attribute | Definition |
|---|---|
| nsICQid | Contains the ICQ user ID for the entry. |
| nsICQStatusGraphic | Contains a pointer to the graphic image which indicates the ICQ account's status. |
| nsICQStatusText | Contains the text to indicate the ICQ account's status. |
5.3.77. nsLicenseUser
nsLicenseUser object class tracks tracks licenses for servers that are licensed on a per-client basis. nsLicenseUser is intended to be used with the inetOrgPerson object class. You can manage the contents of this object class through the Users and Groups area of the Admin Server.
top
2.16.840.1.113730.3.2.7
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| Attribute | Definition |
|---|---|
| nsLicensedFor | Identifies the server that the user is licensed to use. |
| nsLicenseEndTime | Reserved for future use. |
| nsLicenseStartTime | Reserved for future use. |
5.3.78. nsManagedRoleDefinition
nsManagedRoleDefinition object class specifies the member assignments of a role to an explicit, enumerated list of members.
nsComplexRoleDefinition
2.16.840.1.113730.3.2.96
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| Attribute | Definition |
|---|---|
| cn (commonName) | Gives the common name of the entry. |
| description | Gives a text description of the entry. |
5.3.79. nsMessagingServerUser
nsICQpresence is an auxiliary object class that describes a messaging server user. This object class is defined for Netscape Messaging Server.
top
2.16.840.113730.3.2.37
| Attribute | Definition |
|---|---|
| cn (commonName) | Gives the common name of the entry. |
| mailAccessDomain | Contains the domain from which the user can access the messaging server. |
| mailAlternateAddress | Contains secondary email addresses for the group. |
| mailAutoReplyMode | Specifies whether autoreply mode for the account is enabled. |
| mailAutoReplyText | Contains the text use for automatic reply emails. |
| mailDeliveryOption | Specifies the mail delivery mechanism to be used for the mail user. |
| mailForwardingAddress | Specifies the mail delivery mechanism to use for the mail user. |
| mailMessageStore | Specifies the location of the user's mail box. |
| mailProgramDeliveryInfo | Specifies the commands used for programmed mail delivery. |
| mailQuota | Specifies the disk space allowed for the user's mail box. |
| nsmsgDisallowAccess | Sets limits on the mail protocols available to the user. |
| nsmsgNumMsgQuota | Specifies the number of messages allowed for the user's mail box. |
| nswmExtendedUserPrefs | Stores the extended preferences for the user. |
| vacationEndDate | Contains the end date for a vacation period. |
| vacationStartDate | Contains the start date for a vacation period. |
5.3.80. nsMSNpresence
nsMSNpresence is an auxiliary object class which defines the status of an MSN instance messaging account. This object is defined for the Directory Server.
top
2.16.840.1.113730.3.2.303
| Attribute | Definition |
|---|---|
| nsMSNid | Contains the MSN user ID for the entry. |
|
nsMSNStatusGraphic
| Contains a pointer to the graphic image which indicates the MSN account's status. |
|
nsMSNStatusText
| Contains the text to indicate the MSN account's status. |
5.3.81. nsNestedRoleDefinition
nsNestedRoleDefinition object class specifies one or more roles, of any type, are included as members within the role.
nsComplexRoleDefinition
2.16.840.1.113730.3.2.98
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| nsRoleDn | Specifies the roles assigned to an entry. |
| Attribute | Definition |
|---|---|
| cn (commonName) | Gives the common name of the entry. |
| description | Gives a text description of the entry. |
5.3.82. nsResourceRef
nsNestedRoleDefinition object class configures a resource reference.
top
nsResourceRef-oid
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| seeAlso | Contains a URL to another entry or site with related information. |
5.3.83. nsRoleDefinition
nsRoleDefinition object class.
LDAPsubentry
2.16.840.1.113730.3.2.93
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| Attribute | Definition |
|---|---|
| cn (commonName) | Gives the common name of the entry. |
| description | Gives a text description of the entry. |
5.3.84. nsSimpleRoleDefinition
- Enumerate the members of a role.
- Determine whether a given entry possesses a particular role.
- Enumerate all the roles possessed by a given entry.
- Assign a particular role to a given entry.
- Remove a particular role from a given entry.
nsRoleDefinition
2.16.840.1.113730.3.2.94
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| Attribute | Definition |
|---|---|
| cn (commonName) | Gives the common name of the entry. |
| description | Gives a text description of the entry. |
5.3.85. nsSNMP
top
2.16.840.1.113730.3.2.41
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| nsSNMPEnabled | Sets whether SNMP is enabled for the Directory Server instance. |
|
Attribute
|
Definition
|
|---|---|
| nsSNMPContact | Contains the contact information provided by the SNMP agent. |
| nsSNMPDescription | Contains a text description of the SNMP setup. |
| nsSNMPLocation | Contains the location information or configuration for the SNMP agent. |
| nsSNMPMasterHost | Contains the host name for the server where the SNMP master agent is located. |
| nsSNMPMasterPort | Contains the port to access the SNMP subagent. |
|
nsSNMPName
| Contains the name of the SNMP agent. |
| nsSNMPOrganization | Contains the organization name or information provided by the SNMP service. |
5.3.86. nsTask
top
nsTask-oid
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
|
Attribute
|
Definition
|
|---|---|
| nsExecRef | Contains a reference to the program which will perform the task. |
| nsHelpRef | Contains a reference to an online (HTML) help file associated with the task window. |
| nsLogSuppress | Sets whether to suppress logging for the task. |
| nsTaskLabel | Contains a label associated with the task in the Console. |
5.3.87. nsTaskGroup
top
nsTaskGroup-oid
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
|
Attribute
|
Definition
|
|---|---|
| nsTaskLabel | Contains a label associated with the task in the Console. |
5.3.88. nsTopologyCustomView
nsCustomView
nsTopologyCustomView-oid
|
Attribute
|
Definition
|
|---|---|
| nsViewConfiguration | Contains the view configuration to use in the Console. |
5.3.89. nsTopologyPlugin
nsAdminObject
nsTopologyPlugin-oid
5.3.90. nsValueItem
top
2.16.840.1.113730.3.2.45
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
|
Attribute
|
Definition
|
|---|---|
| nsValueBin | Contains information or operations related to the binary value type. |
| nsValueCES | Contains information or operations related to the case-exact string (CES) value type. |
| nsValueCIS | Contains information or operations related to the case-insensitive (CIS) value type. |
| nsValueDefault | Sets the default value type to use for an attribute or configuration parameter. |
| nsValueDescription | Gives a text description of the value item setting. |
| nsValueDN | Contains information or operations related to the DN value type. |
| nsValueFlags | Sets flags for the value item object. |
| nsValueHelpURL | Contains a reference to an online (HTML) help file associated with the value item object. |
| nsValueInt | Contains information or operations related to the integer value type. |
| nsValueSyntax | Defines the syntax to use for the value item object. |
| nsValueTel | Contains information or operations related to the telephone string value type. |
| nsValueType | Sets which value type to apply. |
5.3.91. nsView
top
2.16.840.1.113730.3.2.304
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
|
Attribute
|
Definition
|
|---|---|
| description | Gives a text description of the entry. |
| nsViewFilter | Identifies the filter used by the view plugin. |
5.3.92. nsYIMpresence
nsYIMpresence is an auxiliary object class which defines the status of a Yahoo instance messaging account. This object is defined for the Directory Server.
top
2.16.840.1.113730.3.2.302
| Attribute | Definition |
|---|---|
| nsYIMid | Contains the Yahoo user ID for the entry. |
| nsYIMStatusGraphic | Contains a pointer to the graphic image which indicates the Yahoo account's status. |
| nsYIMStatusText | Contains the text to indicate the Yahoo account's status. |
5.3.93. ntGroup
ntGroup object class holds data for a group entry stored in a Windows Active Directory server. Several Directory Server attributes correspond directly to or are mapped to match Windows group attributes. When you create a new group in the Directory Server that is to be synchronized with a Windows server group, Directory Server attributes are assigned to the Windows entry. These attributes may then be added, modified, or deleted in the entry through either directory service.
top
2.16.840.1.113730.3.2.9
| Object Class | Definition |
|---|---|
| mailGroup | Allows the mail attribute to be synchronized between Windows and Directory Server groups. |
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| ntUserDomainId | Contains the Windows domain login ID for the group account. |
| Attribute | Definition |
|---|---|
| cn (commonName) | Gives the common name of the entry; this corresponds to the Windows name field. |
| description | Gives a text description of the entry; corresponds to the Windows comment field. |
| l (localityName) | Gives the city or geographical location of the entry. |
| member | Specifies the members of the group. |
| ntGroupCreateNewGroup | Specifies whether a Windows account should be created when an entry is created in the Directory Server. |
| ntGroupDeleteGroup | Specifies whether a Windows account should be deleted when an entry is deleted in the Directory Server. |
| ntGroupDomainId | Gives the domain ID string for the group. |
| ntGroupType | Defines what kind of Windows domain group the entry is. |
| ntUniqueId | Contains a generated ID number used by the server for operations and identification. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the entry belongs. |
| seeAlso | Contains a URL to another entry or site with related information. |
5.3.94. ntUser
ntUser entry holds data for a user entry stored in a Windows Active Directory server. Several Directory Server attributes correspond directly to or are mapped to match Windows user account fields. When you create a new person entry in the Directory Server that is to be synchronized with a Windows server, Directory Server attributes are assigned to Windows user account fields. These attributes may then be added, modified, or deleted in the entry through either directory service.
top
2.16.840.1.113730.3.2.8
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry; this corresponds to the Windows name field. |
| ntUserDomainId | Contains the Windows domain login ID for the user account. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry; corresponds to the Windows comment field. |
| destinationIndicator | Gives the country and city associated with the entry; this was once required to provide public telegram service. |
| fax (facsimileTelephoneNumber) | Gives the fax number for the user. |
| givenName | Contains the person's first name. |
| homePhone | Gives the person's home phone number. |
| homePostalAddress | Gives the person's home mailing address. |
| initials | Gives the person's initials. |
| l (localityName) | Gives the city or geographical location of the entry. |
| Contains the person's email address. | |
| manager | Contains the DN (distinguished name) of the direct supervisor of the person entry. |
| mobile | Gives the person's mobile phone number. |
| ntUserAcctExpires | Identifies when the user's Windows account will expire. |
| ntUserCodePage | Gives the user's code page. |
| ntUserCreateNewAccount | Specifies whether a Windows account should be created when this entry is created in the Directory Server. |
| ntUserDeleteAccount | Specifies whether a Windows account should be deleted when this entry is deleted in the Directory Server. |
| ntUserHomeDir | Gives the path to the user's home directory. |
| ntUserLastLogoff | Gives the time of the user's last logoff from the Windows server. |
| ntUserLastLogon | Gives the time of the user's last logon to the Windows server. |
| ntUserMaxStorage | Shows the maximum disk space available to the user in the Windows server. |
| ntUserParms | Contains a Unicode string reserved for use by applications. |
| ntUserProfile | Contains the path to the user's Windows profile. |
| ntUserScriptPath | Contains the path to the user's Windows login script. |
| ntUserWorkstations | Contains a list of Windows workstations from which the user is allowed to log into the Windows domain. |
| o (organizationName) | Gives the organization to which the entry belongs. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the entry belongs. |
| pager | Gives the person's pager number. |
| postalAddress | Contains the mailing address for the entry. |
| postalCode | Gives the postal code for the entry, such as the zip code in the United States. |
| postOfficeBox | Gives the post office box number for the entry. |
| registeredAddress | Gives a postal address suitable to receive expedited documents when the recipient must verify delivery. |
| seeAlso | Contains a URL to another entry or site with related information. |
| sn (surname) | Gives the person's family name or last name. |
| st (stateOrProvinceName) | Gives the state or province where the person is located. |
| street | Gives the street name and address number for the person's physical location. |
| telephoneNumber | Gives the telephone number for the entry. |
| teletexTerminalIdentifier | Gives the identifier for the person's teletex terminal. |
| telexNumber | Gives the telex number associated with the entry. |
| title | Shows the person's job title. |
| userCertificate | Stores a user's certificate in cleartext (not used). |
| x121Address | Gives the X.121 address for the entry. |
5.3.95. oncRpc
oncRpc object class defines an abstraction of an Open Network Computing Remote Procedure Call (ONC RPC). This object class is defined in RFC 2307.
Note
10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
top
1.3.6.1.1.1.2.5
| Attribute | Definition |
|---|---|
| objectClass | Defines the object classes for the entry. |
| cn (commonName) | Gives the common name of the entry. |
| oncRpcNumber | Contains part of the RPC map and stores the RPC number for UNIX RPCs. |
5.3.96. organization
organization attributes defines entries that represent organizations. An organization is generally assumed to be a large, relatively static grouping within a larger corporation or enterprise.
top
2.5.6.4
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| o (organizationName) | Gives the organization to which the entry belongs. |
| Attribute | Definition |
|---|---|
| businessCategory | Gives the type of business in which the entry is engaged. |
| description | Gives a text description of the entry. |
| destinationIndicator | Gives the country and city associated with the entry; this was once required to provide public telegram service. |
| fax (facsimileTelephoneNumber) | Contains the fax number for the entry. |
| internationalISDNNumber | Contains the ISDN number for the entry. |
| l (localityName) | Gives the city or geographical location of the entry. |
| physicalDeliveryOfficeName | Gives a location where physical deliveries can be made. |
| postalAddress | Contains the mailing address for the entry. |
| postalCode | Gives the postal code for the entry, such as the zip code in the United States. |
| postOfficeBox | Gives the post office box number for the entry. |
| preferredDeliveryMethod | Shows the preferred method of contact or message delivery for the entry. |
| registeredAddress | Gives a postal address suitable to receive expedited documents when the recipient must verify delivery. |
| searchGuide | Specifies information for suggested search criteria when using the entry as the base object in the directory tree for a search. |
| seeAlso | Contains a URL to another entry or site with related information. |
| st (stateOrProvinceName) | Gives the state or province where the person is located. |
| street | Gives the street name and number for the person's physical location. |
| telephoneNumber | Gives the telephone number of the person responsible for the organization. |
| teletexTerminalIdentifier | Gives the ID for an entry's teletex terminal. |
| telexNumber | Gives the telex number associated with the entry. |
| userPassword | Gives the password with which the entry can bind to the directory. |
| x121Address | Gives the X.121 address for the entry. |
5.3.97. organizationalPerson
organizationalPerson object class defines entries for people employed or affiliated with the organization. This object class inherits the cn (commonName) and sn (surname) attributes from the person object class.
person
2.5.6.7
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| sn (surname) | Gives the person's family name or last name. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| destinationIndicator | Gives the country and city associated with the entry; this was once required to provide public telegram service. |
| fax (facsimileTelephoneNumber) | Contains the fax number for the entry. |
| internationalISDNNumber | Contains the ISDN number for the entry. |
| l (localityName) | Gives the city or geographical location of the entry. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the entry belongs. |
| physicalDeliveryOfficeName | Gives a location where physical deliveries can be made. |
| postalAddress | Contains the mailing address for the entry. |
| postalCode | Gives the postal code for the entry, such as the zip code in the United States. |
| postOfficeBox | Gives the post office box number for the entry. |
| preferredDeliveryMethod | Shows the person's preferred method of contact or message delivery. |
| registeredAddress | Gives a postal address suitable to receive expedited documents when the recipient must verify delivery. |
| seeAlso | Contains a URL to another entry or site with related information. |
| st (stateOrProvinceName) | Gives the state or province where the person is located. |
| street | Gives the street name and number for the person's physical location. |
| telephoneNumber | Gives the telephone number for the entry. |
| teletexTerminalIdentifier | Gives the ID for an entry's teletex terminal. |
| telexNumber | Gives the telex number associated with the entry. |
| title | Shows the person's job title. |
| userPassword | Stores the password with which the entry can bind to the directory. |
| x121Address | Gives the X.121 address for the entry. |
5.3.98. organizationalRole
organizationalRole object class is used to define entries for roles held by people within an organization.
top
2.5.6.8
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| destinationIndicator | Gives the country and city associated with the entry; this was once required to provide public telegram service. |
| fax (facsimileTelephoneNumber) | Contains the fax number for the entry. |
| internationalISDNNumber | Contains the ISDN number for the entry. |
| l (localityName) | Gives the city or geographical location of the entry. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the entry belongs. |
| physicalDeliveryOfficeName | Gives a location where physical deliveries can be made. |
| postalAddress | Contains the mailing address for the entry. |
| postalCode | Gives the postal code for the entry, such as the zip code in the United States. |
| postOfficeBox | Gives the post office box number for the entry. |
| preferredDeliveryMethod | Shows the role's preferred method of contact or message delivery. |
| registeredAddress | Gives a postal address suitable to receive expedited documents when the recipient must verify delivery. |
| roleOccupant | Contains the DN (distinguished name) of the person in the role. |
| seeAlso | Contains a URL to another entry or site with related information. |
| st (stateOrProvinceName) | Gives the state or province where the entry is located. |
| street | Gives the street name and number for the role's physical location. |
| telephoneNumber | Gives the telephone number for the entry. |
| teletexTerminalIdentifier | Gives the ID for an entry's teletex terminal. |
| telexNumber | Gives the telex number associated with the entry. |
| x121Address | Gives the X.121 address for the entry. |
5.3.99. organizationalUnit
organizationalUnit object class defines entries that represent organizational units, generally understood to be a relatively static grouping within a larger organization.
top
2.5.6.5
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the entry belongs. |
| Attribute | Definition |
|---|---|
| businessCategory | Gives the type of business in which the entry is engaged. |
| description | Gives a text description of the entry. |
| destinationIndicator | Gives the country and city associated with the entry; this was once required to provide public telegram service. |
| fax (facsimileTelephoneNumber) | Contains the fax number for the entry. |
| internationalISDNNumber | Contains the ISDN number for the entry. |
| l (localityName) | Gives the city or geographical location of the entry. |
| physicalDeliveryOfficeName | Gives a location where physical deliveries can be made. |
| postalAddress | Contains the mailing address for the entry. |
| postalCode | Gives the postal code for the entry, such as the zip code in the United States. |
| postOfficeBox | Gives the post office box number for the entry. |
| preferredDeliveryMethod | Gives the preferred method of being contacted. |
| registeredAddress | Gives a postal address suitable to receive expedited documents when the recipient must verify delivery. |
| searchGuide | Specifies information for suggested search criteria when using the entry as the base object in the directory tree for a search. |
| seeAlso | Contains a URL to another entry or site with related information. |
| st (stateOrProvinceName) | Gives the state or province where the person is located. |
| street | Gives the street name and number for the role's physical location. |
| telephoneNumber | Gives the telephone number for the entry. |
| teletexTerminalIdentifier | Gives the ID for an entry's teletex terminal. |
| telexNumber | Gives the telex number associated with the entry. |
| userPassword | Stores the password with which the entry can bind to the directory. |
| x121Address | Gives the X.121 address for the entry. |
5.3.100. person
person object class represents entries for generic people. This is the base object class for the organizationalPerson object class.
top
2.5.6.6
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| sn (surname) | Gives the person's family name or last name. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| seeAlso | Contains a URL to another entry or site with related information. |
| telephoneNumber | Gives the telephone number for the entry. |
| userPassword | Stores the password with which the entry can bind to the directory. |
5.3.101. pilotObject
pilotObject is a subclass to allow additional attributes to be assigned to entries of all other object classes.
top
0.9.2342.19200300.100.4.3
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| Attribute | Definition |
|---|---|
| audio | Stores a sound file in a binary format. |
| dITRedirect | Contains the DN (distinguished name) of the entry to use as a redirect for the entry. |
| info | Contains information about the entry. |
| jpegPhoto | Stores a JPG image. |
| lastModifiedBy | Gives the DN (distinguished name) of the last user which modified the document entry. |
| lastModifiedTime | Gives the time the object was most recently modified. |
| manager | Gives the DN (distinguished name) of the entry's manager. |
| photo | Stores a photo of the document in binary format. |
| uniqueIdentifier | Distinguishes between two entries when a distinguished name has been reused. |
5.3.102. pilotOrganization
pilotOrganization object class is a subclass used to add attributes to organization and organizationalUnit object class entries.
top
0.9.2342.19200300.100.4.20
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| o (organizationName) | Gives the organization to which the entry belongs. |
| ou (organizationalUnitName) | Gives the organizational unit or division to which the entry belongs. |
| Attribute | Definition |
|---|---|
| buildingName | Gives the name of the building where the entry is located. |
| businessCategory | Gives the type of business in which the entry is engaged. |
| description | Gives a text description of the entry. |
| destinationIndicator | Gives the country and city associated with the entry; this was once required to provide public telegram service. |
| fax (facsimileTelephoneNumber) | Contains the fax number for the entry. |
| internationalISDNNumber | Contains the ISDN number for the entry. |
| l (localityName) | Gives the city or geographical location of the entry. |
| physicalDeliveryOfficeName | Gives a location where physical deliveries can be made. |
| postalAddress | Contains the mailing address for the entry. |
| postalCode | Gives the postal code for the entry, such as the zip code in the United States. |
| postOfficeBox | Gives the post office box number for the entry. |
| preferredDeliveryMethod | Gives the preferred method of being contacted. |
| registeredAddress | Gives a postal address suitable to receive expedited documents when the recipient must verify delivery. |
| searchGuide | Specifies information for suggested search criteria when using the entry as the base object in the directory tree for a search. |
| seeAlso | Contains a URL to another entry or site with related information. |
| st (stateOrProvinceName) | Gives the state or province where the person is located. |
| street | Gives the street name and address number for the person's physical location. |
| telephoneNumber | Gives the telephone number for the entry. |
| teletexTerminalIdentifier | Gives the ID for an entry's teletex terminal. |
| telexNumber | Gives the telex number associated with the entry. |
| userPassword | Stores the password with which the entry can bind to the directory. |
| x121Address | Gives the X.121 address for the entry. |
5.3.103. pkiCA
pkiCA auxiliary object class contains required or available certificates that are configured for a certificate authority. This object class is defined in RFC 4523, which defines object classes and attributes for LDAP to use to manage X.509 certificates and related certificate services.
top
2.5.6.22
| Attribute | Definition |
|---|---|
| authorityRevocationList | Contains a list of revoked CA certificates. |
| cACertificate | Contains a CA certificate. |
| certificateRevocationList | Contains a list of certificates that have been revoked. |
| crossCertificatePair | Contains a pair of certificates that are used to cross-certify a pair of CAs in a FBCA-style bridge CA configuration. |
5.3.104. pkiUser
pkiUser auxiliary object class contains required certificates for a user or client that connects to a certificate authority or element in the public key infrastructure. This object class is defined in RFC 4523, which defines object classes and attributes for LDAP to use to manage X.509 certificates and related certificate services.
top
2.5.6.21
| Attribute | Definition |
|---|---|
| userCertificate | Stores a user's certificate, usually in binary form. |
5.3.105. posixAccount
posixAccount object class defines network accounts which use POSIX attributes. This object class is defined in RFC 2307, which defines object classes and attributes to use LDAP as a network information service.
Note
10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
top
1.3.6.1.1.1.2.0
| Attribute | Definition |
|---|---|
| cn (commonName) | Gives the common name of the entry. |
| gidNumber | Contains a unique numeric identifier for a group entry or to identify the group for a user entry, analogous to the group number in Unix. |
| homeDirectory | Contains the path to the user's home directory. |
| objectClass | Gives the object classes assigned to the entry. |
| uid (userID) | Gives the defined account's user ID. |
| uidNumber | Contains a unique numeric identifier for a user entry, analogous to the user number in Unix. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| gecos | Used to determine the GECOS field for the user; this is based on a common name, with additional information embedded. |
| loginShell | Contains the path to a script that is launched automatically when a user logs into the domain. |
| userPassword | Stores the password with which the entry can bind to the directory. |
5.3.106. posixGroup
posixGroup object class defines a group of network accounts which use POSIX attributes. This object class is defined in RFC 2307, which defines object classes and attributes to use LDAP as a network information service.
top
1.3.6.1.1.1.2.2
| Attribute | Definition |
|---|---|
| gidNumber | Contains the path to a script that is launched automatically when a user logs into the domain. |
| objectClass | Gives the object classes assigned to the entry. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| memberUid | Gives the login name of the group member; this possibly may not be the same as the member's DN. |
| userPassword | Contains the login name of the member of a group. |
5.3.107. referral
referral object class defines an object which supports LDAPv3 smart referrals. This object class is defined in LDAPv3 referrals Internet Draft.
top
2.16.840.1.113730.3.2.6
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
5.3.108. residentialPerson
residentialPerson object class manages a person's residential information.
top
2.5.6.10
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| l (localityName) | Gives the city or geographical location of the entry. |
| sn (surname) | Gives the person's family name or last name. |
| Attribute | Definition |
|---|---|
| businessCategory | Gives the type of business in which the entry is engaged. |
| description | Gives a text description of the entry. |
| destinationIndicator | Gives the country and city associated with the entry; this was once required to provide public telegram service. |
| fax (facsimileTelephoneNumber) | Contains the fax number for the entry. |
| internationalISDNNumber | Contains the ISDN number for the entry. |
| physicalDeliveryOfficeName | Gives a location where physical deliveries can be made. |
| postalAddress | Contains the mailing address for the entry. |
| postalCode | Gives the postal code for the entry, such as the zip code in the United States. |
| postOfficeBox | Gives the post office box number for the entry. |
| preferredDeliveryMethod | Shows the person's preferred method of contact or message delivery. |
| registeredAddress | Gives a postal address suitable to receive expedited documents when the recipient must verify delivery. |
| seeAlso | Contains a URL to another entry or site with related information. |
| st (stateOrProvinceName) | Gives the state or province where the person is located. |
| street | Gives the street name and address number for the person's physical location. |
| telephoneNumber | Gives the telephone number for the entry. |
| teletexTerminalIdentifier | Gives the ID for an entry's teletex terminal. |
| telexNumber | Gives the telex number associated with the entry. |
| userPassword | Stores the password with which the entry can bind to the directory. |
| x121Address | Gives the X.121 address for the entry. |
5.3.109. RFC822LocalPart
RFC822LocalPart object class defines entries that represent the local part of RFC 822 mail addresses. The directory treats this part of an RFC822 address as a domain.
domain
0.9.2342.19200300.100.4.14
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| dc (domainComponent) | Contains one component of a domain name. |
| Attribute | Definition |
|---|---|
| associatedName | Gives the name of an entry within the organizational directory tree which is associated with a DNS domain. |
| businessCategory | Gives the type of business in which the entry is engaged. |
| cn (commonName) | Gives the common name of the entry. |
| description | Gives a text description of the entry. |
| destinationIndicator | Gives the country and city associated with the entry; this was once required to provide public telegram service. |
| fax (facsimileTelephoneNumber) | Contains the fax number for the entry. |
| internationalISDNNumber | Contains the ISDN number for the entry. |
| l (localityName) | Gives the city or geographical location of the entry. |
| o (organizationName) | Gives the organization to which the account belongs. |
| physicalDeliveryOfficeName | Gives a location where physical deliveries can be made. |
| postalAddress | Contains the mailing address for the entry. |
| postalCode | Gives the postal code for the entry, such as the zip code in the United States. |
| postOfficeBox | Gives the post office box number for the entry. |
| preferredDeliveryMethod | Shows the person's preferred method of contact or message delivery. |
| registeredAddress | Gives a postal address suitable to receive expedited documents when the recipient must verify delivery. |
| searchGuide | Specifies information for suggested search criteria when using the entry as the base object in the directory tree for a search. |
| seeAlso | Contains a URL to another entry or site with related information. |
| sn (surname) | Gives the person's family name or last name. |
| st (stateOrProvinceName) | Gives the state or province where the person is located. |
| street | Gives the street name and address number for the person's physical location. |
| telephoneNumber | Gives the telephone number for the entry. |
| teletexTerminalIdentifier | Gives the identifier for the person's teletex terminal. |
| telexNumber | Gives the telex number associated with the entry. |
| userPassword | Stores the password with which the entry can bind to the directory. |
| x121Address | Gives the X.121 address for the entry. |
5.3.110. room
room object class stores information in the directory about rooms.
top
0.9.2342.19200300.100.4.7
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| cn (commonName) | Gives the common name of the entry. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the room. |
| roomNumber | Contains the room's number. |
| seeAlso | Contains a URL to another entry or site with related information. |
| telephoneNumber | Gives the telephone number for the entry. |
5.3.111. shadowAccount
shadowAccount object class allows the LDAP directory to be used as a shadow password service. Shadow password services relocate the password files on a host to a shadow file with tightly restricted access.
Note
10rfc2307.ldif in the Directory Server. To use the updated RFC 2307 schema, remove the 10rfc2307.ldif file and copy the 10rfc2307bis.ldif file from the /usr/share/dirsrv/data directory to the /etc/dirsrv/slapd-instance_name/schema directory.
top
1.3.6.1.1.1.2.1
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| uid (userID) | Gives the defined account's user ID. |
| Attribute | Definition |
|---|---|
| description | Gives a text description of the entry. |
| shadowExpire | Contains the date that the shadow account expires. |
| shadowFlag | Identifies what area in the shadow map stores the flag values. |
| shadowInactive | Sets how long the shadow account can be inactive. |
| shadowLastChange | Contains the time and date of the last modification to the shadow account. |
| shadowMax | Sets the maximum number of days that a shadow password is valid. |
| shadowMin | Sets the minimum number of days that must pass between changing the shadow password. |
| shadowWarning | Sets how may days in advance of password expiration to send a warning to the user. |
| userPassword | Stores the password with which the entry can bind to the directory. |
5.3.112. simpleSecurityObject
simpleSecurityObject object class allow an entry to contain the userPassword attribute when an entry's principal object classes do not allow a password attribute. Reserved for future use.
top
0.9.2342.19200300.100.4.19
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| userPassword | Stores the password with which the entry can bind to the directory. |
5.3.113. strongAuthenticationUser
strongAuthenticationUser object class stores a user's certificate in the directory.
top
2.5.6.15
| Attribute | Definition |
|---|---|
| objectClass | Gives the object classes assigned to the entry. |
| userCertificate | Stores a user's certificate, usually in binary form. |
Chapter 6. Operational Attributes and Object Classes
ldapsearch operation if specifically requested.
6.1. accountUnlockTime
| OID | 2.16.840.1.113730.3.1.95 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
6.2. aci
| OID | 2.16.840.1.113730.3.1.55 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
6.3. altServer
| OID | 1.3.6.1.4.1.1466.101.120.6 |
| Syntax | IA5String |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2252 |
6.4. copiedFrom
| OID | 2.16.840.1.113730.3.1.613 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.5. copyingFrom
| OID | 2.16.840.1.113730.3.1.614 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.6. createTimestamp
| OID | 2.5.18.1 |
| Syntax | GeneralizedTime |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 1274 |
6.7. creatorsName
| OID | 2.5.18.3 |
| Syntax | DN |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 1274 |
6.8. dITContentRules
| OID | 2.5.21.2 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2252 |
6.9. dITStructureRules
| OID | 2.5.21.1 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2252 |
6.10. entryusn
entryUSN operational attribute on the entry; the entryUSN, then, shows the number for the most recent change on any entry.
Note
entryUSN attribute increments only with operations performed by LDAP clients. It does not count internal operations.
entryUSN is unique per back end database instance, so entries in other databases may have the same USN. The nsslapd-entryusn-global parameter changes the assignment of USNs from local to global, that is, from being counted on a single database to being counted for all databases in the topology. The parameter is turned off by default.
lastusn, is kept in the root DSE entry, which shows the most recently- assigned USN. In local mode, lastusn shows the most recently- assigned USN per back end database. In global mode, lastusn shows the most recently assigned USN for the entire topology.
| OID | 2.16.840.1.113730.3.1.606 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.11. internalCreatorsName
internalCreatorsname attributes always show a plug-in as the identity. This plug-in could be an additional plug-in, such as the MemberOf Plug-in. If the change is made by the core Directory Server, then the plug-in is the database plug-in, cn=ldbm database,cn=plugins,cn=config.
| OID | 2.16.840.1.113730.3.1.2114 |
| Syntax | DN |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.12. internalModifiersName
internalModifiersname attributes always show a plug-in as the identity. This plug-in could be an additional plug-in, such as the MemberOf Plug-in. If the change is made by the core Directory Server, then the plug-in is the database plug-in, cn=ldbm database,cn=plugins,cn=config.
| OID | 2.16.840.1.113730.3.1.2113 |
| Syntax | DN |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.13. hasSubordinates
| OID | 1.3.6.1.4.1.1466.115.121.1.7 |
| Syntax | Boolean |
| Multi- or Single-Valued | Single-valued |
| Defined in | numSubordinates Internet Draft |
6.14. lastLoginTime
lastLoginTime attribute contains a timestamp of the last time that the given account authenticated to the directory, in the format YYYMMDDHHMMSSZ. For example:
lastLoginTime: 20170527001051Z
| OID | 2.16.840.1.113719.1.1.4.1.35 |
| Syntax | GeneralizedTime |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
6.15. lastModifiedBy
lastModifiedBy attribute contains the distinguished name (DN) of the user who last edited the entry. For example:
lastModifiedBy: cn=Barbara Jensen,ou=Engineering,dc=example,dc=com
| OID | 0.9.2342.19200300.100.1.24 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
6.16. lastModifiedTime
lastModifiedTime attribute contains the time, in UTC format, an entry was last modified. For example:
lastModifiedTime: Thursday, 22-Sep-93 14:15:00 GMT
| OID | 0.9.2342.19200300.100.1.23 |
| Syntax | DirectyString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 1274 |
6.17. ldapSubEntry
top
2.16.840.1.113719.2.142.6.1.1
|
Attribute
|
Definition
|
|---|---|
| objectClass |
Gives the object classes assigned to the entry.
|
6.18. ldapSyntaxes
| OID | 1.3.6.1.4.1.1466.101.120.16 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2252 |
6.19. matchingRules
| OID | 2.5.21.4 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2252 |
6.20. matchingRuleUse
| OID | 2.5.21.8 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2252 |
6.21. modifyTimestamp
| OID | 2.5.18.2 |
| Syntax | GeneralizedTime |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 1274 |
6.22. modifiersName
| OID | 2.5.18.4 |
| Syntax | DN |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 1274 |
6.23. nameForms
| OID | 2.5.21.7 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | RFC 2252 |
6.24. nsAccountLock
| OID | 2.16.840.1.113730.3.1.610 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
6.25. nsAIMStatusGraphic
| OID | 2.16.840.1.113730.3.1.2018 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.26. nsAIMStatusText
| OID | 2.16.840.1.113730.3.1.2017 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.27. nsBackendSuffix
| OID | 2.16.840.1.113730.3.1.803 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
6.28. nscpEntryDN
| OID | 2.16.840.1.113730.3.1.545 |
| Syntax | DN |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.29. nsDS5ReplConflict
nsDS5ReplConflict contains information about which entries are in conflict, usually by referring to them by their nsUniqueID for both current entries and tombstone entries.
| OID | 2.16.840.1.113730.3.1.973 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
6.30. nsICQStatusGraphic
| OID | 2.16.840.1.113730.3.1.2022 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.31. nsICQStatusText
| OID | 2.16.840.1.113730.3.1.2021 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.32. nsIdleTimeout
| OID | 2.16.840.1.113730.3.1.573 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.33. nsIDListScanLimit
| OID | 2.16.840.1.113730.3.1.2106 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.34. nsLookThroughLimit
| OID | 2.16.840.1.113730.3.1.570 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.35. nsPagedIDListScanLimit
nsIDListScanLimit attribute, except that it only applies to searches with the simple paged results control.
nsIDListScanLimit is used to paged searches as well as non-paged searches.
| OID | 2.16.840.1.113730.3.1.2109 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.36. nsPagedLookThroughLimit
nsLookThroughLimit attribute, except that it only applies to searches with the simple paged results control.
nsLookThroughLimit is used to paged searches as well as non-paged searches.
| OID | 2.16.840.1.113730.3.1.2108 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.37. nsPagedSizeLimit
nsSizeLimit attribute for paged searches.
nsSizeLimit attribute is used for paged searches as well as non-paged searches for the user, or the global configuration settings are used.
| OID | 2.16.840.1.113730.3.1.2107 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.38. nsParentUniqueId
nsParentUniqueId attribute contains the DN or entry ID for the parent of the original entry.
| OID | 2.16.840.1.113730.3.1.544 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.39. nsRole
| OID | 2.16.840.1.113730.3.1.574 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
6.40. nsRoleDn
nsRoleDN attribute. For example:
dn: cn=staff,ou=employees,dc=example,dc=com objectclass: LDAPsubentry objectclass: nsRoleDefinition objectclass: nsSimpleRoleDefinition objectclass: nsManagedRoleDefinition dn: cn=userA,ou=users,ou=employees,dc=example,dc=com objectclass: top objectclass: person sn: uA userpassword: secret nsroledn: cn=staff,ou=employees,dc=example,dc=com
nsRoleDN defines the DN of the contained roles. For example:
dn: cn=everybody,ou=employees,dc=example,dc=com objectclass: LDAPsubentry objectclass: nsRoleDefinition objectclass: nsComplexRoleDefinition objectclass: nsNestedRoleDefinition nsroledn: cn=manager,ou=employees,dc=example,dc=com nsroledn: cn=staff,ou=employees,dc=example,dc=com
| OID | 2.16.840.1.113730.3.1.575 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Directory Server |
6.41. nsRoleFilter
| OID | 2.16.840.1.113730.3.1.576 |
| Syntax | IA5String |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2252 |
6.42. nsSchemaCSN
| OID | 2.5.21.82.16.840.1.113730.3.1.804 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.43. nsSizeLimit
| OID | 2.16.840.1.113730.3.1.571 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.44. nsTimeLimit
| OID | 2.16.840.1.113730.3.1.572 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.45. nsTombstone (Object Class)
nsTombstone object class, automatically.
top
2.16.840.1.113730.3.2.113
|
Attribute
|
Definition
|
|---|---|
|
Gives the object classes assigned to the entry.
|
| Attribute | Definition |
|---|---|
| nsParentUniqueId | Identifies the unique ID of the parent entry of the original entry. |
| nscpEntryDN | Identifies the orignal entry DN in a tombstone entry. |
6.46. nsUniqueId
| OID | 2.16.840.1.113730.3.1.542 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.47. nsYIMStatusGraphic
| OID | 2.16.840.1.113730.3.1.2020 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.48. nsYIMStatusText
| OID | 2.16.840.1.113730.3.1.2019 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.49. numSubordinates
numSubordinates=0 in a leaf entry.
| OID | 1.3.1.1.4.1.453.16.2.103 |
| Syntax | Integer |
| Multi- or Single-Valued | Single-valued |
| Defined in | numSubordinates Internet Draft |
6.50. passwordGraceUserTime
| OID | 2.16.840.1.113730.3.1.998 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.51. passwordRetryCount
| OID | 2.16.840.1.113730.3.1.93 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.52. pwdpolicysubentry
| OID | 2.16.840.1.113730.3.1.997 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.53. pwdUpdateTime
| OID | 2.16.840.1.113730.3.1.2133 |
| Syntax | GeneralizedTime |
| Multi- or Single-Valued | Single-valued |
| Defined in | Directory Server |
6.54. subschemaSubentry
subschemaSubentry: cn=schema
| OID | 2.5.18.10 |
| Syntax | DN |
| Multi- or Single-Valued | Single-valued |
| Defined in | RFC 2252 |
6.55. glue (Object Class)
glue object class defines an entry in a special state: resurrected due to a replication conflict.
top
2.16.840.1.113730.3.2.30
|
Attribute
|
Definition
|
|---|---|
| objectClass |
Gives the object classes assigned to the entry.
|
6.56. passwordObject (Object Class)
top
2.16.840.1.113730.3.2.12
| accountUnlockTime | Refers to the amount of time that must pass after an account lockout before the user can bind to the directory again. |
| passwordAllowChangeTime | Specifies the length of time that must pass before users are allowed to change their passwords. |
| passwordExpirationTime | Specifies the length of time that passes before the user’s password expires. |
| passwordExpWarned | Indicates that a password expiration warning has been sent to the user. |
| passwordGraceUserTime | Specifies the number of login attempts that are allowed to a user after the password has expired. |
| passwordHistory (Password History) | Contains the history of the user’s previous passwords. |
| passwordRetryCount | Counts the number of consecutive failed attempts at entering the correct password. |
| pwdpolicysubentry | Points to the entry DN of the new password policy. |
| retryCountResetTime | Specifies the length of time that passes before the passwordRetryCount attribute is reset. |
6.57. subschema (Object Class)
top
2.5.20.1
| attributeTypes | Attribute types used within a subschema. |
| dITContentRules | Defines the DIT content rules which are in force within a subschema. |
| dITStructureRules | Defines the DIT structure rules which are in force within a subschema. |
| matchingRuleUse | Indicates the attribute types to which a matching rule applies in a subschema. |
| matchingRules | Defines the matching rules used within a subschema. |
| nameForms | Defines the name forms used in a subschema. |
| objectClasses | Defines the object classes used in a subschema. |
Chapter 7. Log File Reference
/var/log/dirsrv/slapd-instance_name directory.
7.1. Access Log Reference
- Connection record, which gives the connection index and the IP address of the client.
- Bind record.
- Bind result record.
- Sequence of operation request/operation result pairs of records (or individual records in the case of connection, closed, and abandon records).
- Unbind record.
- Closed record.
[21/Apr/2017:11:39:51 -0700] — the format of which may vary depending on the platform. -0700 indicates the time difference in relation to GMT. Apart from the connection, closed, and abandon records, which appear individually, all records appear in pairs, consisting of a request for service record followed by a result record. These two records frequently appear on adjacent lines, but this is not always the case.
nsslapd-accesslog-level attribute. This section provides an overview of the default access logging content, log levels, and the content logged at different logging levels.
Note
logconv.pl, which can analyze access logs to extract usage statistics and count the occurrences of significant events. For details about this script, see Section 9.4.9, “logconv.pl (Log Converter)”.
7.1.1. Access Logging Levels
- 0 = No access logging.
- 4 = Logging for internal access operations.
- 256 = Logging for access to an entry.
- 512 = Logging for access to an entry and referrals.
- 131072 = Precise timing of operation duration. This gives microsecond resolution for the Elapsed Time item in the access log.
nsslapd-accesslog-level to 516 (512+4).
7.1.2. Default Access Logging Content
Example 7.1. Example Access Log
[21/Apr/2017:11:39:51 -0700] conn=11 fd=608 slot=608 connection from 207.1.153.51 to 192.18.122.139 [21/Apr/2017:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [21/Apr/2017:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0 [21/Apr/2017:11:39:51 -0700] conn=11 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(mobile=+1 123 456-7890)" [21/Apr/2017:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101 nentries=1 etime=3 notes=U [21/Apr/2017:11:39:51 -0700] conn=11 op=2 UNBIND [21/Apr/2017:11:39:51 -0700] conn=11 op=2 fd=608 closed - U1 [21/Apr/2017:11:39:52 -0700] conn=12 fd=634 slot=634 connection from 207.1.153.51 to 192.18.122.139 [21/Apr/2017:11:39:52 -0700] conn=12 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [21/Apr/2017:11:39:52 -0700] conn=12 op=0 RESULT err=0 tag=97 nentries=0 etime=0 [21/Apr/2017:11:39:52 -0700] conn=12 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(uid=bjensen)" [21/Apr/2017:11:39:52 -0700] conn=12 op=2 ABANDON targetop=1 msgid=2 nentries=0 etime=0 [21/Apr/2017:11:39:52 -0700] conn=12 op=3 UNBIND [21/Apr/2017:11:39:52 -0700] conn=12 op=3 fd=634 closed - U1 [21/Apr/2017:11:39:53 -0700] conn=13 fd=659 slot=659 connection from 207.1.153.51 to 192.18.122.139 [21/Apr/2017:11:39:53 -0700] conn=13 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [21/Apr/2017:11:39:53 -0700] conn=13 op=0 RESULT err=0 tag=97 nentries=0 etime=0 [21/Apr/2017:11:39:53 -0700] conn=13 op=1 EXT oid="2.16.840.1.113730.3.5.3" [21/Apr/2017:11:39:53 -0700] conn=13 op=1 RESULT err=0 tag=120 nentries=0 etime=0 [21/Apr/2017:11:39:53 -0700] conn=13 op=2 ADD dn="cn=Sat Apr 21 11:39:51 MET DST 2017,dc=example,dc=com" [21/Apr/2017:11:39:53 -0700] conn=13 op=2 RESULT err=0 tag=105 nentries=0 etime=0 csn=3b4c8cfb000000030000 [21/Apr/2017:11:39:53 -0700] conn=13 op=3 EXT oid="2.16.840.1.113730.3.5.5" [21/Apr/2017:11:39:53 -0700] conn=13 op=3 RESULT err=0 tag=120 nentries=0 etime=0 [21/Apr/2017:11:39:53 -0700] conn=13 op=4 UNBIND [21/Apr/2017:11:39:53 -0700] conn=13 op=4 fd=659 closed - U1 [21/Apr/2017:11:39:55 -0700] conn=14 fd=700 slot=700 connection from 207.1.153.51 to 192.18.122.139 [21/Apr/2017:11:39:55 -0700] conn=14 op=0 BIND dn="" method=sasl version=3 mech=DIGEST-MD5 [21/Apr/2017:11:39:55 -0700] conn=14 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [21/Apr/2017:11:39:55 -0700] conn=14 op=1 BIND dn="uid=jdoe,dc=example,dc=com" method=sasl version=3 mech=DIGEST-MD5 [21/Apr/2017:11:39:55 -0700] conn=14 op=1 RESULT err=0 tag=97nentries=0 etime=0 dn="uid=jdoe,dc=example,dc=com" [21/Apr/2017:11:39:55 -0700] conn=14 op=2 UNBIND [21/Apr/2017:11:39:53 -0700] conn=14 op=2 fd=700 closed - U1
Every external LDAP request is listed with an incremental connection number, in this case conn=11, starting at conn=0 immediately after server startup.
[21/Apr/2017:11:39:51 -0700] conn=11 fd=608 slot=608 connection from 207.1.153.51 to 192.18.122.1394 on the nsslapd-accesslog-level (Access Log Level) configuration attribute.
Every connection from an external LDAP client to Directory Server requires a file descriptor or socket descriptor from the operating system, in this case fd=608. fd=608 indicates that it was file descriptor number 608 out of the total pool of available file descriptors which was used.
[21/Apr/2017:11:39:51 -0700] conn=11 fd=608 slot=608 connection from 207.1.153.51 to 192.18.122.139
The slot number, in this case slot=608, is a legacy part of the access log which has the same meaning as file descriptor. Ignore this part of the access log.
[21/Apr/2017:11:39:51 -0700] conn=11 fd=608 slot=608 connection from 207.1.153.51 to 192.18.122.139
To process a given LDAP request, Directory Server will perform the required series of operations. For a given connection, all operation request and operation result pairs are given incremental operation numbers beginning with op=0 to identify the distinct operations being performed.
[21/Apr/2017:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0op=0 for the bind operation request and result pair, then op=1 for the LDAP search request and result pair, and so on. The entry op=-1 in the access log generally means that the LDAP request for this connection was not issued by an external LDAP client but, instead, initiated internally.
The method number, in this case method=128, indicates which LDAPv3 bind method was used by the client.
[21/Apr/2017:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory Manager" method=128 version=30for authentication128for simple bind with user passwordsaslfor SASL bind using external authentication mechanism
The version number, in this case version=3, indicates the LDAP version number (either LDAPv2 or LDAPv3) that the LDAP client used to communicate with the LDAP server.
[21/Apr/2017:11:39:51 -0700] conn=11 op=0 BIND dn="cn=Directory Manager" method=128 version=3
The error number, in this case err=0, provides the LDAP result code returned from the LDAP operation performed. The LDAP error number 0 means that the operation was successful. For a more comprehensive list of LDAP result codes, see Section 7.4, “LDAP Result Codes”.
[21/Apr/2017:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0
The tag number, in this case tag=97, indicates the type of result returned, which is almost always a reflection of the type of operation performed. The tags used are the BER tags from the LDAP protocol.
[21/Apr/2017:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0Table 7.1. Commonly-Used Tags
| Tag | Description |
|---|---|
| tag=97 | Result from a client bind operation. |
| tag=100 | The actual entry being searched for. |
| tag=101 | Result from a search operation. |
| tag=103 | Result from a modify operation. |
| tag=105 | Result from an add operation. |
| tag=107 | Result from a delete operation. |
| tag=109 | Result from a moddn operation. |
| tag=111 | Result from a compare operation. |
| tag=115 | Search reference when the entry on which the search was performed holds a referral to the required entry. Search references are expressed in terms of a referral. |
| tag=120 | Result from an extended operation. |
| tag=121 | Result from an intermediate operation. |
Note
tag=100 and tag=115 are not result tags as such, and so it is unlikely that they will be recorded in the access log.
nentries shows the number of entries, in this case nentries=0, that were found matching the LDAP client's request.
[21/Apr/2017:11:39:51 -0700] conn=11 op=0 RESULT err=0 tag=97 nentries=0 etime=0
etime shows the elapsed time, in this case etime=3, or the amount of time (in seconds) that it took the Directory Server to perform the LDAP operation.
[21/Apr/2017:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101 nentries=1 etime=3 notes=Uetime value of 0 means that the operation actually took milliseconds to perform. To have microsecond resolution for this item in the access log, enter a value of 131328 (256+131072) in the nsslapd-accesslog-level configuration attribute.
The LDAP request type indicates the type of LDAP request being issued by the LDAP client. Possible values are:
SRCHfor searchMODfor modifyDELfor deleteADDfor addMODDNfor moddnEXTfor extended operationABANDONfor abandon operation
SORT serialno will be recorded in the log, followed by the number of candidate entries that were sorted. For example:
[04/May/2017:15:51:46 -0700] conn=114 op=68 SORT serialno (1)1.
The LDAP response type indicates the LDAP response being issued by the LDAP client. There are three possible values:
RESULTENTRYREFERRAL, an LDAP referral or search reference
Directory Server provides additional information on searches in the notes field of log entries. For example:
[21/Apr/2016:11:39:51 -0700] conn=11 op=1 RESULT err=0 tag=101 nentries=1 etime=3 notes=U- Paged Search Indicator:
notes=P - LDAP clients with limited resources can control the rate at which an LDAP server returns the results of a search operation. When the search performed used the LDAP control extension for simple paging of search results, Directory Server logs the
notes=Ppaged search indicator. This indicator is informational and no further actions are required.For more details, see RFC 2696. - Unindexed Search Indicators:
notes=Aandnotes=U - When attributes are not indexed, Directory Server must search them in the database directly. This procedure is more resource-intensive than searching the index file.The following unindexed search indicators can be logged:
notes=AAll candidate attributes in the filter were unindexed and a full table scan was required. This can exceed the value set in thensslapd-lookthroughlimitparameter.notes=UThis state is set in the following situations:- At least one of the search terms is unindexed.
- The limit set in the
nsslapd-idlistscanlimitparameter was reached during the search operation. For details, see Section 4.4.1.21, “nsslapd-idlistscanlimit”.
Unindexed searches occur in the following scenarios:- The
nsslapd-idlistscanlimitparameter's value was reached within the index file used for the search. - No index file existed.
- The index file was not configured in the way required by the search.
To optimize future searches, add frequently searched unindexed attributes to the index. For details, see the corresponding section in the Directory Server Administration Guide.Note
An unindexed search indicator is often accompanied by a largeetimevalue, as unindexed searches are generally more time consuming.
notes field can have the following value combinations: notes=P,A and notes=U,P.
When a search involves virtual list views (VLVs), appropriate entries are logged in the access log file. Similar to the other entries, VLV-specific entries show the request and response information side by side:
VLV RequestInformation ResponseInformation
beforeCount:afterCount:index:contentCount
targetPosition:contentCount (resultCode)
[07/May/2017:11:43:29 -0700] conn=877 op=8530 SRCH base="(ou=People)" scope=2 filter="(uid=*)"
[07/May/2017:11:43:29 -0700] conn=877 op=8530 SORT uid
[07/May/2017:11:43:29 -0700] conn=877 op=8530 VLV 0:5:0210 10:5397 (0)
[07/May/2017:11:43:29 -0700] conn=877 op=8530 RESULT err=0 tag=101 nentries=1 etime=00:5:0210, is the VLV request information:
- The beforeCount is
0. - The afterCount is
5. - The value is
0210.
10:5397 (0), is the VLV response information:
- The targetPosition is
10. - The contentCount is
5397. - The (resultCode) is
(0).
The entry scope=n defines the scope of the search performed, and n can have a value of 0, 1, or 2.
0for base search1for one-level search2for subtree search
An extended operation OID, such as EXT oid="2.16.840.1.113730.3.5.3" or EXT oid="2.16.840.1.113730.3.5.5" in Example 7.1, “Example Access Log”, provides the OID of the extended operation being performed. Table 7.2, “LDAPv3 Extended Operations Supported by Directory Server” provides a partial list of LDAPv3 extended operations and their OIDs supported in Directory Server.
Table 7.2. LDAPv3 Extended Operations Supported by Directory Server
| Extended Operation Name | Description | OID |
|---|---|---|
| Directory Server Start Replication Request | Sent by a replication initiator to indicate that a replication session is requested. | 2.16.840.1.113730.3.5.3 |
| Directory Server Replication Response | Sent by a replication responder in response to a Start Replication Request Extended Operation or an End Replication Request Extended Operation. | 2.16.840.1.113730.3.5.4 |
| Directory Server End Replication Request | Sent to indicate that a replication session is to be terminated. | 2.16.840.1.113730.3.5.5 |
| Directory Server Replication Entry Request | Carries an entry, along with its state information (csn and UniqueIdentifier) and is used to perform a replica initialization. | 2.16.840.1.113730.3.5.6 |
| Directory Server Bulk Import Start | Sent by the client to request a bulk import together with the suffix being imported to and sent by the server to indicate that the bulk import may begin. | 2.16.840.1.113730.3.5.7 |
| Directory Server Bulk Import Finished | Sent by the client to signal the end of a bulk import and sent by the server to acknowledge it. | 2.16.840.1.113730.3.5.8 |
The change sequence number, in this case csn=3b4c8cfb000000030000, is the replication change sequence number, indicating that replication is enabled on this particular naming context.
[21/Apr/2017:11:39:52 -0700] conn=12 op=2 ABANDON targetop=1 msgid=2 nentries=0 etime=0
nentries=0 indicates the number of entries sent before the operation was aborted, etime=0 value indicates how much time (in seconds) had elapsed, and targetop=1 corresponds to an operation value from a previously initiated operation (that appears earlier in the access log).
ABANDON messages, depending on whether the message ID succeeds in locating which operation was to be aborted. If the message ID succeeds in locating the operation (the targetop) then the log will read as above. However, if the message ID does not succeed in locating the operation or if the operation had already finished prior to the ABANDON request being sent, then the log will read as follows:
[21/Apr/2017:11:39:52 -0700] conn=12 op=2 ABANDON targetop=NOTFOUND msgid=2
targetop=NOTFOUND indicates the operation to be aborted was either an unknown operation or already complete.
The message ID, in this case msgid=2, is the LDAP operation identifier, as generated by the LDAP SDK client. The message ID may have a different value than the operation number but identifies the same operation. The message ID is used with an ABANDON operation and tells the user which client operation is being abandoned.
[21/Apr/2017:11:39:52 -0700] conn=12 op=2 ABANDON targetop=NOTFOUND msgid=2Note
In Directory Server, logging for multi-stage binds is explicit. Each stage in the bind process is logged. The error codes for these SASL connections are really return codes. In Example 7.1, “Example Access Log”, the SASL bind is currently in progress so it has a return code of err=14, meaning the connection is still open, and there is a corresponding progress statement, SASL bind in progress.
[21/Apr/2017:11:39:55 -0700] conn=14 op=0 BIND dn="" method=sasl version=3 mech=DIGEST-MD5 [21/Apr/2017:11:39:55 -0700] conn=14 op=0 RESULTerr=14tag=97 nentries=0 etime=0,SASL bind in progress
sasl method is followed by the LDAP Version Number and the SASL mechanism used, as shown below with the GSS-API mechanism.
[21/Apr/2017:12:57:14 -0700] conn=32 op=0 BIND dn=""method=saslversion=3mech=GSSAPI
Note
[21/Apr/2017:11:39:55 -0700] conn=14 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=jdoe,dc=example,dc=com"
7.1.3. Access Log Content for Additional Access Logging Levels
4, which logs internal operations, is enabled.
Example 7.2. Access Log Extract with Internal Access Operations Level (Level 4)
[12/Jul/2017:16:45:46 +0200] conn=Internal op=-1 SRCH base="cn=\22dc=example,dc=com\22,cn=mapping tree,cn=config"scope=0 filter="objectclass=nsMappingTree"attrs="nsslapd-referral" options=persistent [12/Jul/2017:16:45:46 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1etime=0 [12/Jul/2017:16:45:46 +0200] conn=Internal op=-1 SRCH base="cn=\22dc=example,dc=com\22,cn=mapping tree,cn=config"scope=0 filter="objectclass=nsMappingTree" attrs="nsslapd-state" [12/Jul/2017:16:45:46 +0200] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1etime=0
4 enables logging for internal operations, which log search base, scope, filter, and requested search attributes, in addition to the details of the search being performed.
768 is enabled (512 + 256), which logs access to entries and referrals. In this extract, six entries and one referral are returned in response to the search request, which is shown on the first line.
[12/Jul/2017:16:43:02 +0200] conn=306 fd=60 slot=60 connection from 127.0.0.1 to 127.0.0.1 [12/Jul/2017:16:43:02 +0200] conn=306 op=0 SRCH base="dc=example,dc=com" scope=2 filter="(description=*)" attrs=ALL [12/Jul/2017:16:43:02 +0200] conn=306 op=0 ENTRY dn="ou=Special [12/Jul/2017:16:43:02 +0200] conn=306 op=0 ENTRY dn="cn=Accounting Managers,ou=groups,dc=example,dc=com" [12/Jul/2017:16:43:02 +0200] conn=306 op=0 ENTRY dn="cn=HR Managers,ou=groups,dc=example,dc=com" [12/Jul/2017:16:43:02 +0200] conn=306 op=0 ENTRY dn="cn=QA Managers,ou=groups,dc=example,dc=com" [12/Jul/2017:16:43:02 +0200] conn=306 op=0 ENTRY dn="cn=PD Managers,ou=groups,dc=example,dc=com" [12/Jul/2017:16:43:02 +0200] conn=306 op=0 ENTRY dn="ou=Red Hat Servers,dc=example,dc=com" [12/Jul/2017:16:43:02 +0200] conn=306 op=0 REFERRAL
The connection description, in this case conn=Internal, indicates that the connection is an internal connection. The operation number op=-1 also indicates that the operation was initiated internally.
[12/Jul/2017:16:45:46 +0200] conn=Internal op=-1 ENTRY dn="cn=\22dc=example,dc=com\22,cn=mapping tree,cn=config"
The options description (options=persistent) indicates that a persistent search is being performed, as distinguished from a regular search operation. Persistent searches can be used as a form of monitoring and configured to return changes to given configurations as changes occur.
512 and 4 are enabled for this example, so both internal access operations and entry access and referrals being logged.
[12/Jul/2017:16:45:46 +0200] conn=Internal op=-1 SRCH base="cn=\22dc=example,dc=com\22,cn=mapping tree,cn=config"scope=0 filter="objectclass=nsMappingTree"attrs="nsslapd-referral" options=persistent
7.1.4. Common Connection Codes
closed log message to provide additional information related to the connection closure.
Table 7.3. Common Connection Codes
| Connection Code | Description |
|---|---|
| A1 | Client aborts the connection. |
| B1 | Corrupt BER tag encountered. If BER tags, which encapsulate data being sent over the wire, are corrupt when they are received, a B1 connection code is logged to the access log. BER tags can be corrupted due to physical layer network problems or bad LDAP client operations, such as an LDAP client aborting before receiving all request results. |
| B2 | BER tag is longer than the nsslapd-maxbersize attribute value. For further information about this configuration attribute, see Section 3.1.1.92, “nsslapd-maxbersize (Maximum Message Size)”. |
| B3 | Corrupt BER tag encountered. |
| B4 | Server failed to flush data response back to client. |
| P2 | Closed or corrupt connection has been detected. |
| T1 | Client does not receive a result within the specified idletimeout period. For further information about this configuration attribute, see Section 3.1.1.72, “nsslapd-idletimeout (Default Idle Timeout)”. |
| T2 | Server closed connection after ioblocktimeout period was exceeded. For further information about this configuration attribute, see Section 3.1.1.74, “nsslapd-ioblocktimeout (IO Block Time Out)”. |
| U1 | Connection closed by server after client sends an unbind request. The server will always close the connection when it sees an unbind request. |
7.1.5. Getting Access Log Statistics
logconv.pl script parses the access log and returns summary information on different users and operations that have been run on the server.
logconv.pl /relative/path/to/accessLog
logconv.pl /var/log/dirsrv/slapd-instance_name/access*
logconv.pl are covered in the manpage and in Section 9.4.9, “logconv.pl (Log Converter)”.
logconv.pl can be used to pull general usage information from the access logs.
logconv.pl prints a list of total operations, total number of connections, counts per each operation type, counts for some extended operations like persistent searches, and bind information.
[root@server slapd-example]# logconv.pl access Access Log Analyzer 6.0 Command : logconv.pl access Processing 1 Access Log(s)... Filename Total Lines Lines processed --------------------------------------------------------------- access 7 7 ----------- Access Log Output ------------ Restarts: 0 Total Connections: 0 Peak Concurrent Connections: 1 Total Operations: 2 Total Results: 2 Overall Performance: 100.0% Searches: 1 Modifications: 0 Adds: 0 Compares 0 Deletes: 0 Mod RDNs: 0 Mod DNs: 0 Persistent Searches: 0 Internal Operations: 0 Entry Operations: 0 Extended Operations: 0 Abandoned Requests: 0 Smart Referrals Received: 0 VLV Operations: 0 VLV Unindexed Searches: 0 SORT Operations: 0 SSL Connections: 0 Entire Search Base Queries: 1 Unindexed Searches: 0 FDs Taken: 1 FDs Returned: 1 Highest FD Taken: 64 Broken Pipes: 0 Connections Reset By Peer: 0 Resource Unavailable: 0 Binds: 1 Unbinds: 1 LDAP v2 Binds: 0 LDAP v3 Binds: 1 SSL Client Binds: 0 Failed SSL Client Binds: 0 SASL Binds: 0 Directory Manager Binds: 1 Anonymous Binds: 0 Proxy Auth Binds: 0 Other Binds: 0
b) and the total connection codes returned by the server (c) are passed as -bc.
[root@server slapd-example]# logconv.pl -bc access ... 8< ... ----- Total Connection Codes ----- U1 3 Cleanly Closed Connections B1 1 Bad Ber Tag Encountered ----- Top 20 Bind DN's ----- Number of Unique Bind DN's: 212 1801 cn=directory manager 1297 Anonymous Binds 311 uid=jsmith,ou=people... 87 uid=bjensen,ou=peopl... 85 uid=mreynolds,ou=peo... 69 uid=jrockford,ou=peo... 55 uid=sspencer,ou=peop... ... 8< ...
-S), before a certain end time (-E), or within a range. When start and end times are set, the logconv.pl first prints the time range given, then the summary for that period.
[root@server slapd-example]# logconv.pl -S "[01/Jul/2012:16:11:47 -0400]" -E "[01/Jul/2012:17:23:08 -0400]" access Access Log Analyzer 6.0 Command : logconv.pl -S [01/Jul/2012:16:11:47 -0400] -E [01/Jul/2012:17:23:08 -0400] access Processing 1 Access Log(s)... Filename Total Lines Lines processed --------------------------------------------------------------- access 25 20 ----------- Access Log Output ------------ Start of Log: 01/Jul/2012:16:11:47 End of Log: 01/Jul/2012:17:23:08 ... 8< ...
-M) or per second (-m). In this case, the data are printed, in time unit increments, to a specified CSV output file.
logconv.pl -m|-M outputFile accessLogFile
[root@server slapd-example]# logconv.pl -M /home/output/statsPerMin.txt /var/log/dirsrv/slapd-instance_name/access*
-M|-m options can also be used with the -S and -E arguments, to get per-minute or per-second counts within a specific time period.
Time,time_t,Results,Search,Add,Mod,Modrdn,Delete,Abandon,Connections,SSL Conns,Bind,Anon Bind,Unbind,Unindexed
- Open the CSV file.
- Click the menu, and select .
- In the Chart Type area, set the chart type to XY (Scatter).
- Set the subtype to lines only.
- Select the option to sort by X values.

- Accept the defaults in the other screens (particularly, to use the data series in columns and to set the first row and first column as labels), and create the chart.
7.2. Error Log Reference
7.2.1. Error Log Logging Levels
16384, which included critical error messages and standard logged messages, like LDAP results codes and startup messages. As with access logging, error logging levels are additive. To enable both replication logging (8192) and plug-in logging (65536), set the log level to 73728 (8192 + 65536).
Note
8192) should only be enabled for troubleshooting, not for daily operations.
Table 7.4. Error Log Levels
| Setting | Console Name | Description |
|---|---|---|
| 1 | Trace function calls | Logs a message when the server enters and exits a function. |
| 2 | Packeting handlings | Logs debug information for packets processed by the server. |
| 4 | Heavy trace output | Logs when the server enters and exits a function, with additional debugging messages. |
| 8 | Connection management | Logs the current connection status, including the connection methods used for a SASL bind. |
| 16 | Packets sent/received | Print out the numbers of packets sent and received by the server. |
| 32 | Search filter processing | Logs all of the functions called by a search operation. |
| 64 | Config file processing | Prints any .conf configuration files used with the server, line by line, when the server is started. By default, only slapd-collations.conf is available and processed. |
| 128 | Access control list processing | |
| 2048 | Log entry parsing. | Logs schema parsing debugging information. |
| 4096 | Housekeeping | Housekeeping thread debugging. |
| 8192 | Replication | Logs detailed information about every replication-related operation, including updates and errors, which is important for debugging replication problems. |
| 16384 | Default | Default level of logging used for critical errors and other messages that are always written to the error log, such as server startup messages. Messages at this level are always included in the error log, regardless of the log level setting. |
| 32768 | Entry cache | Database entry cache debugging. |
| 65536 | Plug-ins | Writes an entry to the log file when a server plug-in calls slapi-log-error, so this is used for server plug-in debugging. |
| 262144 | Access control summary | Summarizes information about access to the server, much less verbose than level 128. This value is recommended for use when a summary of access control processing is needed. Use 128 for very detailed processing messages. |
7.2.2. Error Log Content
- A timestamp, such as
[05/Jan/2017:02:27:22 -0500], although the format varies depending on the platform. The ending four digits,-0500, indicate the time difference in relation to GMT. - The plug-in being called, for internal operations.
- Functions called by the plug-in, for internal operations.
- Messages returned by the plug-in or operation, which may include LDAP error codes, connection information, or entry information.
Example 7.3. Error Log Excerpt
[05/Jan/2017:02:27:22 -0500] slapi_ldap_bind - Error: could not send bind request for id [cn=repl manager,cn=config] mech [SIMPLE]: error 91 (Can't connect to the LDAP server)
[06/Jan/2017:17:52:04 -0500] schemareload - Schema reload task starts (schema dir: default) ...
[06/Jan/2017:17:52:04 -0500] schemareload - Schema validation passed.
[06/Jan/2017:17:52:04 -0500] schemareload - Schema reload task finished.
[07/Jan/2017:15:54:08 -0500] - libdb: write: 0xb75646e5, 508: No space left on device
[07/Jan/2017:15:54:08 -0500] - libdb: txn_checkpoint: log failed at LSN [22 7649039] No space left on device
[07/Jan/2017:15:54:08 -0500] - Serious Error- - - Failed to checkpoint database, err=28 (No space left on device)
[07/Jan/2017:15:54:08 -0500] - *** DISK FULL ***
[07/Jan/2017:15:54:08 -0500] - Attempting to shut down gracefully.
[07/Jan/2017:15:54:08 -0500] - slapd shutting down - signaling operation threads
[07/Jan/2017:15:54:08 -0500] - slapd shutting down - closing down internal subsystems and plugins
[07/Jan/2017:15:54:11 -0500] - Waiting for 3 database threads to stop
[07/Jan/2017:15:54:11 -0500] - All database threads now stopped
[07/Jan/2017:15:54:12 -0500] - slapd stopped.
Red Hat-Directory/9.0.4 B2008.310.1012
server.example.com:389 (/etc/dirsrv/slapd-example)
[07/Jan/2017:22:18:41 -0500] - Red Hat-Directory/9.0.4 B2008.310.1012 starting up
[07/Jan/2017:22:18:44 -0500] memory allocator - cannot calloc 0 elements;
trying to allocate 0 or a negative number of elements is not portable and
gives different results on different platforms.
[07/Jan/2017:22:18:44 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests7.2.3. Error Log Content for Other Log Levels
[timestamp] NSMMReplicationPlugin - agmt="name" (consumer_host:consumer_port): current_task
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): {replicageneration} 4949df6e000000010000{replicageneration} means that the new information is being sent, and 4949df6e000000010000 is the change sequence number of the entry being replicated.
Example 7.4. Replication Error Log Entry
[09/Jan/2017:13:44:48 -0500] - _csngen_adjust_local_time: gen state before 496799220001:1231526178:0:0
[09/Jan/2017:13:44:48 -0500] - _csngen_adjust_local_time: gen state after 49679b200000:1231526688:0:0
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 49679b20000000010000 into pending list
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - Purged state information from entry uid=mreynolds,ou=People,dc=example,dc=com up to CSN 495e5d73000000010000
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 49679b20000000010000
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): State: wait_for_changes -> wait_for_changes
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): State: wait_for_changes -> ready_to_acquire_replica
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): Trying non-secure slapi_ldap_init_ext
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): binddn = cn=directory manager, passwd = {DES}iRDGwYacBXFTnmlzPU01WQ==
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): No linger to cancel on the connection
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): Replica was successfully acquired.
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): State: ready_to_acquire_replica -> sending_updates
[09/Jan/2017:13:44:48 -0500] - csngen_adjust_time: gen state before 49679b200002:1231526688:0:0
[09/Jan/2017:13:44:48 -0500] - _cl5PositionCursorForReplay (agmt="cn=example2" (alt:13864)): Consumer RUV:
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): {replicageneration} 4949df6e000000010000
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): {replica 1 ldap://server.example.com:389} 494aa17d000000010000 496797f3000000010000 00000000
[09/Jan/2017:13:44:48 -0500] - _cl5PositionCursorForReplay (agmt="cn=example2" (alt:13864)): Supplier RUV:
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): {replicageneration} 4949df6e000000010000
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): {replica 1 ldap://server.example.com:389} 494aa17d000000010000 49679b20000000010000 49679b20
[09/Jan/2017:13:44:48 -0500] agmt="cn=example2" (alt:13864) - session start: anchorcsn=496797f3000000010000
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - changelog program - agmt="cn=example2" (alt:13864): CSN 496797f3000000010000 found, position set for replay
[09/Jan/2017:13:44:48 -0500] agmt="cn=example2" (alt:13864) - load=1 rec=1 csn=49679b20000000010000
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): replay_update: Sending modify operation (dn="uid=mreynolds,ou=people,dc=example,dc=com" csn=49679b20000000010000)
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): replay_update: Consumer successfully sent operation with csn 49679b20000000010000
[09/Jan/2017:13:44:48 -0500] agmt="cn=example2" (alt:13864) - clcache_load_buffer: rc=-30990
[09/Jan/2017:13:44:48 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): No more updates to send (cl5GetNextOperationToReplay)
[09/Jan/2017:13:44:48 -0500] - repl5_inc_waitfor_async_results: 0 5
[09/Jan/2017:13:44:49 -0500] - repl5_inc_result_threadmain starting
[09/Jan/2017:13:44:49 -0500] - repl5_inc_result_threadmain: read result for message_id 5
[09/Jan/2017:13:44:49 -0500] - repl5_inc_result_threadmain: result 3, 0, 0, 5, (null)
[09/Jan/2017:13:44:49 -0500] - repl5_inc_result_threadmain: read result for message_id 5
[09/Jan/2017:13:44:49 -0500] - repl5_inc_waitfor_async_results: 5 5
[09/Jan/2017:13:44:50 -0500] - repl5_inc_result_threadmain: read result for message_id 5
[09/Jan/2017:13:44:51 -0500] - repl5_inc_result_threadmain exiting
[09/Jan/2017:13:44:51 -0500] agmt="cn=example2" (alt:13864) - session end: state=5 load=1 sent=1 skipped=0
[09/Jan/2017:13:44:51 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): Successfully released consumer
[09/Jan/2017:13:44:51 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): Beginning linger on the connection
[09/Jan/2017:13:44:51 -0500] NSMMReplicationPlugin - agmt="cn=example2" (alt:13864): State: sending_updates -> wait_for_changes[timestamp] Plugin_name - message [timestamp] - function - message
Example 7.5. Example ACL Plug-in Error Log Entry with Plug-in Logging
[09/Jan/2017:13:15:16 -0500] NSACLPlugin - conn=24826500108779577 op=10 (main): Allow search on entry(cn=replication,cn=config): root user [09/Jan/2017:13:15:16 -0500] - <= slapi_vattr_filter_test 0 [09/Jan/2017:13:15:16 -0500] NSACLPlugin - Root access (read) allowed on entry(cn=replication,cn=config) [09/Jan/2017:13:15:16 -0500] NSACLPlugin - Root access (read) allowed on entry(cn=replication,cn=config) [09/Jan/2017:13:15:16 -0500] NSACLPlugin - Root access (read) allowed on entry(cn=replication,cn=config) [09/Jan/2017:13:15:16 -0500] - slapi_filter_free type 0x87 [09/Jan/2017:13:15:16 -0500] - => get_filter_internal [09/Jan/2017:13:15:16 -0500] - EQUALITY [09/Jan/2017:13:15:16 -0500] - <= get_filter_internal 0 [09/Jan/2017:13:15:16 -0500] get_filter - before optimize: [09/Jan/2017:13:15:16 -0500] get_filter - after optimize: [09/Jan/2017:13:15:16 -0500] index_subsys_assign_filter_decoders - before: (objectClass=nsBackendInstance) [09/Jan/2017:13:15:16 -0500] index_subsys_assign_filter_decoders - after: (objectClass=nsBackendInstance) [09/Jan/2017:13:15:16 -0500] - => slapi_vattr_filter_test_ext [09/Jan/2017:13:15:16 -0500] - => test_substring_filter [09/Jan/2017:13:15:16 -0500] - EQUALITY
Note
4), access control list processing (128), schema parsing (2048), and housekeeping (4096) all record the functions called by the different operations being performed. In this case, the difference is not in the format of what is being recorded, but what operations it is being recorded for.
.conf file, printing every line, whenever the server starts up. This can be used to debug any problems with files outside of the server's normal configuration. By default, only slapd-collations.conf file, which contains configurations for international language sets, is available.
Example 7.6. Config File Processing Log Entry
[09/Jan/2009:16:08:18 -0500] - reading config file /etc/dirsrv/slapd-server/slapd-collations.conf [09/Jan/2009:16:08:18 -0500] - line 46: collation "" "" "" 1 3 2.16.840.1.113730.3.3.2.0.1 default [09/Jan/2009:16:08:18 -0500] - line 57: collation en "" "" 1 3 2.16.840.1.113730.3.3.2.11.1 en en-US [09/Jan/2009:16:08:18 -0500] - line 58: collation en CA "" 1 3 2.16.840.1.113730.3.3.2.12.1 en-CA [09/Jan/2009:16:08:18 -0500] - line 59: collation en GB "" 1 3 2.16.840.1.113730.3.3.2.13.1 en-GB
Example 7.7. Access Control Summary Logging
[09/Jan/2017:16:02:01 -0500] NSACLPlugin - #### conn=24826547353419844 op=1 binddn="uid=scarter,ou=people,dc=example,dc=com" [09/Jan/2017:16:02:01 -0500] NSACLPlugin - conn=24826547353419844 op=1 (main): Allow search on entry(ou=people,dc=example,dc=com).attr(uid) to uid=scarter,ou=people,dc=example,dc=com: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=example,dc=com"
7.3. Audit Log Reference
timestamp: date dn: modified_entry changetype: action action:attribute attribute:new_value - replace: modifiersname modifiersname: dn - replace: modifytimestamp modifytimestamp: date -
Example 7.8. Audit Log Content
... modifying an entry ... time: 20170108181429 dn: uid=scarter,ou=people,dc=example,dc=com changetype: modify replace: userPassword userPassword: {SSHA}8EcJhJoIgBgY/E5j8JiVoj6W3BLyj9Za/rCPOw== - replace: modifiersname modifiersname: cn=directory manager - replace: modifytimestamp modifytimestamp: 20170108231429Z - ... modifications to o=NetscapeRoot from logging into the Console ... time: 20170108182758 dn: cn=general,ou=1.1,ou=console,ou=cn=directory manager,ou=userpreferences,ou=example.com,o=netscaperoot changetype: modify replace: nsPreference nsPreference:: IwojVGh1IEphbiAwOCAxODoyNzo1OCBFU1QgMjAwOQpXaWR0aD03NzAKU2hvd1 N0YXR1c0Jhcj10cnVlClNob3dCYW5uZXJCYXI9dHJ1ZQpZPTI3OApYPTI5OApIZWlnaHQ9NTE4Cg == - replace: modifiersname modifiersname: cn=directory manager - replace: modifytimestamp modifytimestamp: 20170108232758Z - ... sending a replication update ... time: 20170109131811 dn: cn=example2,cn=replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config changetype: modify replace: nsds5BeginReplicaRefresh nsds5BeginReplicaRefresh: start - replace: modifiersname modifiersname: cn=directory manager - replace: modifytimestamp modifytimestamp: 20170109181810Z -
7.4. LDAP Result Codes
Table 7.5. LDAP Result Codes
| Hex Values | Constants | Hex Values | Constants |
|---|---|---|---|
| 0x00 | LDAP_SUCCESS | 0x31 | LDAP_INVALID_CREDENTIALS |
| 0x01 | LDAP_OPERATIONS_ERROR | 0x32 | LDAP_INSUFFICIENT_ACCESS |
| 0x02 | LDAP_PROTOCOL_ERROR | 0x33 | LDAP_BUSY |
| 0x03 | LDAP_TIMELIMIT_EXCEEDED | 0x34 | LDAP_UNAVAILABLE |
| 0x04 | LDAP_SIZELIMIT_EXCEEDED | 0x35 | LDAP_UNWILLING_TO_PERFORM |
| 0x05 | LDAP_COMPARE_FALSE | 0x40 | LDAP_NAMING_VIOLATION |
| 0x06 | LDAP_COMPARE_TRUE | 0x41 | LDAP_OBJECT_CLASS_VIOLATION |
| 0x07 | LDAP_AUTH_METHOD_NOT_SUPPORTED | 0x42 | LDAP_NOT_ALLOWED_ON_NONLEAF |
| 0x08 | LDAP_STRONG_AUTH_REQUIRED | 0x43 | LDAP_NOT_ALLOWED_ON_RDN |
| 0x09 | LDAP_PARTIAL_RESULTS | 0x44 | LDAP_ALREADY_EXISTS |
| 0x0a | LDAP_REFERRAL [a] | 0x45 | LDAP_NO_OBJECT_CLASS_MODS |
| 0x0b | LDAP_ADMINLIMIT_EXCEEDED [a] | 0x46 | LDAP_RESULTS_TOO_LARGE [b] |
| 0x0c | LDAP_UNAVAILABLE_CRITICAL_EXTENSION [a] | 0x47 | LDAP_AFFECTS_MULTIPLE_DSAS [a] |
| 0x0d | LDAP_CONFIDENTIALITY_REQUIRED [a] | 0x4C | LDAP_VIRTUAL_LIST_VIEW_ERROR |
| 0x0e | LDAP_SASL_BIND_IN_PROGRESS [a] | 0x50 | LDAP_OTHER |
| 0x10 | LDAP_NO_SUCH_ATTRIBUTE | 0x51 | LDAP_SERVER_DOWN |
| 0x11 | LDAP_UNDEFINED_TYPE | 0x52 | LDAP_LOCAL_ERROR |
| 0x12 | LDAP_INAPPROPRIATE_MATCHING | 0x53 | LDAP_ENCODING_ERROR |
| 0x13 | LDAP_CONSTRAINT_VIOLATION | 0x54 | LDAP_DECODING_ERROR |
| 0x14 | LDAP_TYPE_OR_VALUE_EXISTS | 0x55 | LDAP_TIMEOUT |
| 0x15 | LDAP_INVALID_SYNTAX | 0x56 | LDAP_AUTH_UNKNOWN |
| 0x20 | LDAP_NO_SUCH_OBJECT | 0x57 | LDAP_FILTER_ERROR |
| 0x21 | LDAP_ALIAS_PROBLEM | 0x58 | LDAP_USER_CANCELLED |
| 0x22 | LDAP_INVALID_DN_SYNTAX | 0x5A | LDAP_NO_MEMORY |
| 0x23 | LDAP_IS_LEAF [c] | 0x5C | LDAP_NOT_SUPPORTED |
| 0x24 | LDAP_ALIAS_DEREF_PROBLEM | 0x76 | LDAP_CANCELLED |
| 0x30 | LDAP_INAPPROPRIATE_AUTH | ||
[a]
LDAPv3
[b]
Reserved for CLDAP
[c]
Not used in LDAPv3
| |||
7.5. Replacing Log Files with a Named Pipe
- Logging certain events, like failed bind attempts or connections from specific users or IP addresses
- Logging entries which match a specific regular expression pattern
- Keeping the log to a certain length (logging only the last number of lines)
- Sending a notification, such as an email, when an event occurs
ds-logpipe.py
/path/to/named_pipe
[
--user pipe_user
] [
--maxlines number
] [[
--serverpidfile file.pid
] | [
--serverpid PID
]] [
--servertimeout seconds
] [
--plugin=/path/to/plugin.py
| [
pluginfile.arg=value
]]
7.5.1. Using the Named Pipe for Logging
ds-logpipe.py /var/log/dirsrv/slapd-example/access
ds-logpipe.py in this way has the advantage of being simple to implement and not requiring any Directory Server configuration changes. This is useful for fast debugging or monitoring, especially if you are looking for a specific type of event.
- The log file to use has to be changed to the pipe (
nsslapd-*log, where the * can be access, error, or audit[3], depending on the log type being configured) - Buffering should be disabled because the script already buffers the log entries (
nsslapd-*log-logbuffering) - Log rotation should be disabled so that the server does not attempt to rotate the named pipe (
nsslapd-*log-maxlogsperdir,nsslapd-*log-logexpirationtime, andnsslapd-*log-logrotationtime)
ldapmodify.
access.pipe:
ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x dn: cn=config changetype: modify replace: nsslapd-accesslog nsslapd-accesslog: /var/log/dirsrv/slapd-instance_name/access.pipe - replace: nsslapd-accesslog-logbuffering nsslapd-accesslog-logbuffering: off - replace: nsslapd-accesslog-maxlogsperdir nsslapd-accesslog-maxlogsperdir: 1 - replace: nsslapd-accesslog-logexpirationtime nsslapd-accesslog-logexpirationtime: -1 - replace: nsslapd-accesslog-logrotationtime nsslapd-accesslog-logrotationtime: -1
Note
7.5.2. Starting the Named Pipe with the Server
Note
dse.ldif file before it can be called at server startup.
- Open the instance configuration file for the server system.
/etc/sysconfig/dirsrv-instance_name
Warning
Do not edit the/etc/sysconfig/dirsrvfile. - At the end of the file, there will be a line that reads:
# Put custom instance specific settings below here.
Below that line, insert theds-logpipe.pycommand to launch when the server starts. For example:# only keep the last 1000 lines of the error log python /usr/bin/ds-logpipe.py /var/log/dirsrv/slapd-example/errors.pipe -m 1000 -u nobody -s /var/run/dirsrv/slapd-example.pid > /var/log/dirsrv/slapd-example/errors & # only log failed binds python /usr/bin/ds-logpipe.py /var/log/dirsrv/slapd-example/access.pipe -u nobody -s /var/run/dirsrv/slapd-example.pid --plugin=/usr/share/dirsrv/data/failedbinds.py failedbinds.logfile=/var/log/dirsrv/slapd-example/access.failedbinds &
Note
The-soption both specifies the .pid file for the server to write its PID to and sets the script to start and stop with the server process.
7.5.3. Using Plug-ins with the Named Pipe Log
- The plug-in function is called for every line read from the named pipe.
- The plug-in function must be a Python script and must end in
.py. - Any plug-in arguments are passed in the command line to the named pipe log script.
- A pre-operation function can be specified for when the plug-in is loaded.
- A post-operation function can be called for when the script exits.
7.5.3.1. Loading Plug-ins with the Named Pipe Log Script
ds-logpipe.py to use for plug-ins:
- The
--pluginoption gives the path to the plug-in file (which must be a Python script and must end in.py). - The plugin.arg option passes plug-in arguments to the named pipe log script. The plug-in file name (without the
.pyextension) is plugin and any argument allowed in that plug-in can be arg .
ds-logpipe.py /var/log/dirsrc/slapd-example/errors.pipe --plugin=/usr/share/dirsrv/data/example-funct.py example-funct.regex="warning" > warnings.txtarg1:
--plugin=/path/to/pluginname.py pluginname.arg1=foo pluginname.arg1=bar pluginname.arg2=baz
{'arg1': ['foo', 'bar'],
'arg2': 'baz'}dict object with two keys. The first key is the string arg1, and its value is a Python list object with two elements, the strings foo and bar. The second key is the string arg2, and its value is the string baz. If an argument has only a single value, it is left as a simple string. Multiple values for a single argument name are converted into a list of strings.
7.5.3.2. Writing Plug-ins to Use with the Named Pipe Log Script
ds-logpipe.py command expects up to three functions in any plug-in: plugin (), pre (), and post ().
ds-logpipe.py command must specify the plugin function.
plugin () function is performed against every line in the log data, while the pre () and post () functions are run when the script is started and stopped, respectively.
Example 7.9. Simple Named Pipe Log Plug-in
def pre(myargs):
retval = True
myarg = myargs['argname']
if isinstance(myarg, list): # handle list of values
else: # handle single value
if bad_problem:
retval = False
return retval
def plugin(line):
retval = True
# do something with line
if something_is_bogus:
retval = False
return retval
def post(): # no arguments
# do something
# no return value
Chapter 8. Command-Line Utilities
8.1. Command-Line Utilities Quick Reference
Table 8.1. Commonly-Used Command-Line Utilities
| Command-Line Utility | Description |
|---|---|
| ldif | Automatically formats LDIF files and creates base 64-encoded attribute values. For details on this tool, see appendix A in the Directory Server Administrator's Guide. |
| dbscan | Analyzes and extracts information from a Directory Server database file. |
| ds-logpipe.py | Writes Directory Server log data to a named pipe. |
| dn2rdn | For Directory Server instances upgraded from a version older than 9.0, this converts the id2entry.db4 database and entrydn index (formatted by the full entry DN) into the id2entry.db4 database with the entryrdn index (formatted by the RDN). |
8.2. ldif
ldif automatically formats LDIF files and creates base-64 encoded attribute values. Base-64 encoding makes it possible to represent binary data, such as a JPEG image, in LDIF. Base-64 encoded data is represented using a double colon (::) symbol. For example:
jpegPhoto:: encoded data
- Any value that begins with a space.
- Any value that begins with a single colon (:).
- Any value that contains non-ASCII data, including newlines.
ldif command-line utility will take any input and format it with the correct line continuation and appropriate attribute information. The ldif utility also senses whether the input requires base-64 encoding.
ldif [
-b
] [
attrtypes
] [
optional_options
]
Table 8.2. ldif Options
| Option | Description |
|---|---|
| -b |
Specifies that the
ldif utility should interpret the entire input as a single binary value. If -b is not present, each line is considered to be a separate input value.
As an alternative to the
-b option, use the :< URL specifier notation. For example:
jpegphoto:< file:///tmp/myphoto.jpgAlthough the official notation requires three ///, the use of one / is accepted.
Note
The :< URL specifier notation only works if LDIF statement is version 1 or later, meaning version: 1 is inserted in the LDIF file. Otherwise, the file URL is appended as the attribute value rather than the contents of the file.
|
8.3. dbscan
dbscan tool analyzes and extracts information from a Directory Server database file. There are four kinds of database files that can be scanned with dbscan:
id2entry.db4, the main database file for a user databaseentryrdn.db4for a user database- secondary index files for a user database, like
cn.db4 - numeric_string
.db4for the changelog in/var/lib/dirsrv/slapd-instance_name/changelogdb
.db2, .db3, and .db4 extensions in their filename, depending on the version of Directory Server.
Table 8.3. Common Options
| Option | Description |
|---|---|
| -f filename | Specifies the name of the database file, the contents of which are to be analyzed and extracted. This option is required. |
| -R | Dump the database as raw data. |
| -t size | Specifies the entry truncate size (in bytes). |
Note
id2entry.db4.
Table 8.4. Entry File Options
| Option | Description |
|---|---|
| -K entry_id | Specifies the entry ID to look up. |
Note
Table 8.5. Index File Options
| Option | Description |
|---|---|
| -k key | Specifies the key to look up in the secondary index file. |
| -l size | Sets the maximum length of the dumped ID list. The valid range is from 40 to 1048576 bytes. The default value is 4096. |
| -G n | Sets only to display those index entries with ID lists exceeding the specified length. |
| -n | Sets only to display the length of the ID list. |
| -r | Sets to display the contents of the ID list. |
| -s | Gives the summary of index counts. |
The following are command-line examples of different situations using dbscan to examine the Directory Server databases.
Example 8.1. Dumping the Entry File
dbscan -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/id2entry.db4
Example 8.2. Displaying the Index Keys in cn.db4
dbscan -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/cn.db4
Example 8.3. Displaying the Index Keys and the Count of Entries with the Key in mail.db4
dbscan -r -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/mail.db4
Example 8.4. Displaying the Index Keys and the All IDs with More Than 20 IDs in sn.db4
dbscan -r -G 20 -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/sn.db4
Example 8.5. Displaying the Summary of objectclass.db4
dbscan -s -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/objectclass.db4
Example 8.6. Displaying VLV Index File Contents
dbscan -r -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/vlv#bymccoupeopledcpeopledccom.db4
Example 8.7. Displaying the Changelog File Contents
dbscan -f /var/lib/dirsrv/slapd-instance_name/changelogdb/c1a2fc02-1d11b2-8018afa7-fdce000_424c8a000f00.db4
Example 8.8. Dumping the Index File uid.db4 with Raw Mode
dbscan -R -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/uid.db4
Example 8.9. Displaying the entryID with the Common Name Key "=hr managers"
=hr managers, and the equals sign (=) means the key is an equality index.
dbscan -k "=hr managers" -r -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/cn.db4 =hr%20managers 7
Example 8.10. Displaying an Entry with the entry ID of 7
dbscan -K 7 -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/id2entry.db4 id 7 dn: cn=HR Managers,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: HR Manager ou: groups description: People who can manage HR entries creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20050408230424Z modifyTimestamp: 20050408230424Z nsUniqueId: 8b465f73-1dd211b2-807fd340-d7f40000 parentid: 3 entryid: 7 entrydn: cn=hr managers,ou=groups,dc=example,dc=com
Example 8.11. Displaying the Contents of entryrdn Index
dbscan -f /var/lib/dirsrv/slapd-instance_name/db/userRoot/entryrdn.db4 -k "dc=example,dc=com"
dc=example,dc=com
ID: 1; RDN: "dc=example,dc=com"; NRDN: "dc=example,dc=com"
C1:dc=example,dc=com
ID: 2; RDN: "cn=Directory Administrators"; NRDN: "cn=directory administrators"
2:cn=directory administrators
ID: 2; RDN: "cn=Directory Administrators"; NRDN: "cn=directory administrators"
P2:cn=directory administrators
ID: 1; RDN: "dc=example,dc=com"; NRDN: "dc=example,dc=com"
C1:dc=example,dc=com
ID: 3; RDN: "ou=Groups"; NRDN: "ou=groups"
3:ou=groups
ID: 3; RDN: "ou=Groups"; NRDN: "ou=groups"
[...]
8.4. ds-logpipe.py
- The error log level can be set very high for diagnosing an issue to create a log of only the last few hundred or thousand log messages, without a performance hit.
- Messages can be filtered to keep only certain events of interest. For example, the named pipe script can record only failed BIND attempts in the access log, and other events are discarded.
- The script can be used to send notifications when events happen, like adding or deleting a user entry or when a specific error occurs.
ds-logpipe.py
/path/to/named_pipe
[
--user pipe_user
] [
--maxlines number
] [[
--serverpidfile file.pid
] | [
--serverpid PID
]] [
--servertimeout seconds
] [
--plugin=/path/to/plugin.py
| [
pluginfile.arg=value
]]
Several of the options that can be used with ds-logpipe.py have abbreviated arguments.
Table 8.6. ds-logpipe.py Options
| Option | Abbreviation | Description |
|---|---|---|
| /path/to/named_pipe | Required. The fully path and name of the pipe to which the server will send the logging data. If SELinux is in enforcing mode, then the named pipe must be in the instance's default log directory (/var/log/dirsrv/slapd-instance_name) so that the Directory Server can access and run the pipe file without violating SELinux rules. | |
| --user | -u | The user ID to which the named pipe will be chowned. Any files created by plug-ins will also be owned by that user. |
| --maxlines | -m | The number of lines to keep in the buffer. The default is 1000. |
| --serverpidfile | -s | The name of the file which contains the PID of the server. By default, this is /var/run/dirsrv/slapd-instance_name.pid. This option allows you to start and stop the named pipe with the server process. |
| --serverpid | The process ID for the server. The server must already be running to use this argument. | |
| --servertimeout | -t | The amount of time, in seconds, to wait for the PID file to be created and for the process to be running. The default is 60 (seconds). |
| --plugin | Gives the name of a plug-in to call which defines a function to call with each line read from the pipe. An optional pre-function can be given to call when the plug-in is loaded, and an optional post-function can be given to run when the script exits. This file must be a Python script and must end in .py. Arguments can be passed to the plug-in using the pluginfile.arg option. | |
| pluginfile.arg | Defines a plug-in argument. pluginfile is the name of the plug-in and each arg is the name of the argument for that plug-in. For example, to pass an argument name ldifinput to a plug-in named exampleplug, the argument would be exampleplug.ldifinput. |
The procedures for configuring the server for named pipe logging are covered in Section 7.5, “Replacing Log Files with a Named Pipe”.
Example 8.12. Basic Named Pipe Log Script
ds-logpipe.py /var/log/dirsrc/slapd-example/errors.pipe
Note
kill -1 %1 can be used to tell the script to dump the last 1000 lines of the buffer to stdout, and continue running in the background.
Example 8.13. Running the Named Pipe Log Script in the Background
ds-logpipe.py /var/log/dirsrc/slapd-example/errors.pipe &
Example 8.14. Saving the Output from the Named Pipe Log Script
ds-logpipe.py /var/log/dirsrc/slapd-example/errors.pipe > /etc/dirsrv/myerrors.log 2>&1
-s argument. The PID for the server can be reference either by pointing to the server PID file or by giving the actual process ID number (if the server process is already running).
Example 8.15. Specifying the Serve PID
ds-logpipe.py /var/log/dirsrc/slapd-example/errors.pipe --serverpidfile /var/run/dirsrv/slapd-example.pid
Example 8.16. Named Pipe Log Script with a Related Plug-in
ds-logpipe.py /var/log/dirsrc/slapd-example/errors.pipe --plugin=/usr/share/dirsrv/data/logregex.py logregex.regex="warning"
warning are stored in the internal buffer and printed when the script exits.
logregex.pykeeps only log lines that match the given regular expression. The plug-in argument has the formatlogregex.regex=pattern to specify the string or regular expression to use. There can be multiplelogregex.regexarguments which are all treated as AND statements. The error log line must match all given arguments. To allow any matching log lines to be records (OR), use a singlelogregex.regexargument with a pipe (|) between the strings or expressions. See the pcre or Python regular expression documentation for more information about regular expressions and their syntax.failedbinds.pylogs only failed BIND attempts, so this plug-in is only used for the access log. This takes the optionfailedbinds.logfile=/path/to/access.log, which is the file that the actual log messages are written to. This plug-in is an example of a complex plug-in that does quite a bit of processing and is a good place to reference to do other types of access log processing.
8.5. dn2rdn
entrydn index to help map the entry IDs in the id2entry.db4 database to the full DNs of the entry. (One side effect of this was that modrdn operations could only be done on leaf entries, because there was no way to identify the children of an entry and update their DNs if the parent DN changed.) When subtree-level renames are allowed, then the ID-to-entry mapping is done using the entryrdn index with the id2entry.db4 database.
entrydn index. The dn2rdn tool has one purpose: to convert the entry index mapping from a DN-based format to an RDN-based format, by converting the entrydn index to entryrdn.
Note
dn2rdn tool is in the /usr/lib[64]/dirsrv/slapd-instance directory, the instance server root, since it is always run on the local Directory Server instance.
dn2rdn does not have any options.
The dn2rdn tool takes no options, since it always converts the local entrydn index to entryrdn.
Example 8.17. Running dn2rdn
# /usr/lib[64]/dirsrv/slapd-instance/dn2rdn
Chapter 9. Command-Line Scripts
ns-slapd interface commands that are documented in Appendix A, Using the ns-slapd Command-Line Utilities.
9.1. Finding and Executing Command-Line Scripts
/usr/lib64/dirsrv/slapd-instance/slapd-instance_name on Red Hat Enterprise Linux 5 (64-bit) directory (or /usr/lib/dirsrv/slapd-instance_name on Red Hat Enterprise Linux 5 (32-bit)). A few are located in the /usr/bin directory. The exact locations are listed in Section 9.2, “Command-Line Scripts Quick Reference”.
dse.ldif file is located in the /etc/dirsrv/slapd-instance_name directory.
9.2. Command-Line Scripts Quick Reference
/usr/lib64/dirsrv/slapd-instance/slapd-instance_name directory on Red Hat Enterprise Linux 5 (64-bit) and in /usr/lib/dirsrv/slapd-instance_name directory on Red Hat Enterprise Linux 5 (32-bit).
Table 9.1. Shell Scripts in /usr/lib64/dirsrv/slapd-instance/slapd-instance_name (or /usr/lib/dirsrv/slapd-instance_name)
| Shell Script | Description |
|---|---|
| bak2db | Restores the database from the most recent archived backup. |
| db2bak | Creates a backup of the current database contents. |
| db2ldif | Exports the contents of the database to LDIF. |
| db2index | Reindexes the database index files. |
| dbverify | Checks back end database files. |
| ldif2db | Imports LDIF files to the database. Runs the ns-slapd command-line utility with the ldif2db keyword. |
| ldif2ldap | Performs an import operation over LDAP to the Directory Server. |
| monitor | Retrieves performance monitoring information using the ldapsearch command-line utility. |
| restart-slapd | Restarts Directory Server. |
| restoreconfig | Restores by default the most recently saved Admin Server configuration to NetscapeRoot partition. |
| saveconfig | Saves Admin Server configuration stored in the NetscapeRoot database to the /var/lib/dirsrv/slapd-instance_name/bak directory. |
| start-slapd | Starts Directory Server. |
| stop-slapd | Stops Directory Server. |
| suffix2instance | Maps a suffix to a back end name. |
| upgradednformat | Migrates older DN syntax formats to RFC 4514 compliant formats. |
| vlvindex | Creates and generates virtual list view (VLV) indexes. |
Table 9.2. Perl Scripts in /usr/lib64/dirsrv/slapd-instance/slapd-instance_name (or /usr/lib/dirsrv/slapd-instance_name)
| Perl Script | Description |
|---|---|
| bak2db.pl | Restores the database from the most recent archived backup. |
| db2bak.pl | Creates a backup of the current database contents. |
| db2index.pl | Creates and regenerates indexes. |
| db2ldif.pl | Exports the contents of the database to LDIF. |
| fixup-linkedattrs.pl | Goes through all of the linked attributes in entries and updates the corresponding entries to have the correct managed attributes (and values). |
| fixup-memberof.pl | Regenerates the memberOf on user entries to reflect changes in group membership. |
| ldif2db.pl | Imports LDIF files to a database and runs the ns-slapd command-line utility with the ldif2db keyword. |
| ns-accountstatus.pl | Provides account status information to establish whether an entry or group of entries is locked. |
| ns-activate.pl | Activates an entry or a group of entries by unlocking them. |
| ns-inactivate.pl | Deactivates an entry or a group of entries. |
| ns-newpwpolicy.pl | Adds relevant entries required for the fine-grained (user- and subtree-level) password policy. |
| schema-reload.pl | Reloads schema dynamically into the server instance. |
| syntax-validate.pl | Checks existing data in a database to find any syntax violations in the attribute values. |
| usn-tombstone-cleanup.pl | Deletes tombstone entries managed by the update sequence number plug-in for a server instance (as opposed to the replication tombstone entries). |
| verify-db.pl | Checks back end database files. |
Table 9.3. Scripts in /usr/bin and /usr/sbin
| Script Name | Description | Perl or Shell Script |
|---|---|---|
| cl-dump | Dumps and decodes the changelog. | Shell |
| cl-dump.pl | Dumps and decodes the changelog. | Perl |
| ds_removal | Removes a server instance. | Shell |
| logconv.pl | Analyzes the access logs of a Directory Server to extract usage statistics and count the occurrences of significant events. | Perl |
| migrate-ds-admin.pl | Migrates a Directory Server 7.1 instance. | Perl |
| pwdhash | Prints the encrypted form of a password using one of the server's encryption algorithms. If a user cannot log in, use this script to compare the user's password to the password stored in the directory. | Shell |
| register-ds-admin.pl | Re-registers a Directory Server instance with the local Admin Server. | Perl |
| remove-ds.pl | Removes a Directory Server instance. | Perl |
| remove-ds-admin.pl | Removes a Directory Server instance and its associated Admin Server instance. | Perl |
| repl-monitor | Provides in-progress status of replication. | Shell |
| repl-monitor.pl | Provides in-progress status of replication. | Perl |
| restart-dirsrv | Restarts a single Directory Server instance or all Directory Server instances. | shell |
| restart-ds-admin | Restarts the Admin Server instance. | shell |
| setup-ds.pl | Creates or recreates a Directory Server instance. | Perl |
| setup-ds-admin.pl | Creates a new Directory Server instance and local Admin Server instance. | Perl |
| start-dirsrv | Starts a single Directory Server instance or all Directory Server instances. | shell |
| start-ds-admin | Starts the Admin Server instance. | shell |
| stop-dirsrv | Stops a single Directory Server instance or all Directory Server instances. | shell |
| stop-ds-admin | Stops the Admin Server instance. | shell |
9.3. Shell Scripts
9.3.1. bak2db (Restores a Database from Backup)
bak2db
backupDirectory
-n backend
Table 9.4. bak2db Options
| Option | Description |
|---|---|
| backupDirectory | Gives the backup directory path. |
| -n backendInstance | Optional. Specifies the back end name, such as userRoot, which is being restored. This option is only used for filesystem replica initialization or to restore a single database; it is not necessary to use the n option to restore the entire directory. |
9.3.2. cl-dump (Dumps and Decodes the Changelog)
cl-dump is a shell script wrapper of cl-dump.pl to set the appropriate library path.
cl-dump
-h host
-p port
-D bindDn
[
-w bindPassword
|
-P bindCert
]
-r replicaRoots
-o outputFile
[
-c
] [
-v
]
cl-dump [
-i changelogFile
] [
-o outputFile
] [
-c
]
Without the -i option, the script must be run when the Directory Server is running from a location from which the server's changelog directory is accessible.
Table 9.5. cl-dump Options
| Option | Description |
|---|---|
| -c | Dumps and interprets CSN only. This option can be used with or without the -i option. |
| -D bindDn | Specifies the Directory Server's bind DN. Defaults to cn=Directory Manager if the option is omitted. |
| -h host | Specifies the Directory Server's host. This defaults to the server where the script is running. |
| -i changelogFile | Specifies the path to the changelog file. If there is a changelog file and if certain changes in that file are base-64 encoded, use this option to decode that changelog. |
| -o outputFile | Specifies the path, including the filename, for the final result. Defaults to STDOUT if omitted. |
| -p port | Specifies the Directory Server's port. The default value is 389. |
| -P bindCert | Specifies the path, including the filename, to the certificate database that contains the certificate used for binding. |
| -r replicaRoots | Specifies the replica-roots whose changelog to dump. When specifying multiple roots, use commas to separate roots. If the option is omitted, all the replica roots will be dumped. |
| -v | Prints the version of the script. |
| -w bindPassword | Specifies the password for the bind DN. |
9.3.3. cleanallruv.pl (Cleans RUV data)
cleanallruv.pl Perl script creates and adds a cleanAllRUV task to the Directory Server. Additionally, the script is able to abort currently running cleanAllRUV tasks.
cleanallruv.pl [
-D root_DN
] [
-w bind_password
|
-w -
|
-j file_name
] [
-b base_DN
] [
-r replica_ID
] [
-A
] [
-h
]
Table 9.6. cleanallruv.pl command options
| Option | Description |
|---|---|
| -D root_DN | Specifies the distinguished name (DN) used to bind to Directory Server. This is usually the cn=Directory Manager or root DN account. If you do not set this parameter, the script searches the Directory Server instance configuration for the value. |
| -w password | Sets the password for the bind DN. |
| -w - | Prompts for the bind DN's password. |
| -j file_name | Reads the password for the bind DN account from the file passed to the parameter. |
| -b base_DN | Sets the suffix of the replica that is cleaned up. |
| -r replica_ID | Sets the replica ID to remove. |
| -A | Abort a cleanAllRUV task that is currently running. |
| -h | Displays the usage information of the script. |
9.3.4. db2bak (Creates a Backup of a Database)
Important
db2bak.pl Perl script or using the Directory Server Console if the server is kept running. The changelog only writes its RUV entries to the database when the server is shut down; while the server is running, the changelog keeps its changes in memory. For the Perl script and the Console, these changelog RUVs are written to the database before the backup process runs. However, that step is not performed by the command-line script.
db2bak should not be run on a running master server. Either use the Perl script or stop the server before performing the backup.
db2bak [
backupDirectory
]
9.3.5. db2ldif (Exports Database Contents to LDIF)
-r option. To export the replication state information, shut down the server first, then run db2ldif with -r.
Note
db2ldif uses the entryrdn index to order the parent-child entries when it exports the database; this enables the exported LDIF file to be used for import, since the proper hierarchy of parent and child entries is preserved. If the entryrdn index is unavailable for some reason, then db2ldif uses the parentid key for each entry to identify the parent and export it before the child entry. This second method allows the export operation to succeed, but the operation may take a long time to complete.
ns-slapd command-line utility with the db2ldif keyword. Ellipses (...) indicate that multiple occurrences are allowed.
db2ldif [[
-n backendInstance
] | [
-s includeSuffix
]] [
[
-x excludeSuffix
]
] [
-r
] [
-C
] [
-u
] [
-U
] [
-m
] [
M
] [
-a outputFile
] [
-1
] [
-N
] [
-E
]
Either the -n or the -s option must be specified. By default, the output LDIF will be stored in one file. To specify the use of several files, use the option -M.
Table 9.7. db2ldif Options
| Option | Description |
|---|---|
| -1 | Deletes, for reasons of backward compatibility, the first line of the LDIF file which gives the version of the LDIF standard. |
| -a outputFile | Gives the name of the output LDIF file. |
| -C | Uses only the main database file. |
| -E | Decrypts encrypted data during export. This option is used only if database encryption is enabled. |
| -m | Sets minimal base-64 encoding. |
| -M | Uses multiple files for storing the output LDIF, with each instance stored in instance filename (where filename is the filename specified for -a option). |
| -n backendInstance | Gives the instance to be exported. |
| -N | Specifies that the entry IDs are not to be included in the LDIF output. The entry IDs are necessary only if the db2ldif output is to be used as input to db2index. |
| -r |
Exports the information required to initialize a replica when the LDIF is imported. Using this option requires that the server be stopped first, then run the
db2ldif command.
The LDIF file which is created with
db2ldif can be imported using ldif2db. When it is imported, if the -r option was used, than the database is automatically initialized as a replica.
See Section 9.3.10, “ldif2db (Import)” for information on importing an LDIF file.
|
| -s suffix_name | Names the suffixes to be included or the subtrees to be included if -n has been used. |
| -u | Requests that the unique ID is not exported. |
| -U | Requests that the output LDIF is not folded. |
| -x suffix_name | Names the suffixes to be excluded. |
9.3.6. db2index (Reindexes Database Index Files)
Note
db2index uses the entryrdn index to order the parent-child entries when it indexes the database to preserve the proper hierarchy of parent and child entries. If the entryrdn index is unavailable for some reason, then db2index uses the parentid key for each entry to identify the parent. This second method allows the index operation to succeed, but the operation may take a long time to complete.
db2index [[
-n backendInstance
] | [
-s includeSuffix
]] [
-t [attributeName{:indextypes(:mathingrules)}]
] [
-T vlvAttribute
]
Here are a few sample commands:
- Reindex all the database index files:
db2index
- Reindex
cnandgivennamein the database instanceuserRoot:db2index -n userRoot -t cn -t givenname
- Reindex
cnin the database where the root suffix isdc=example,dc=com:db2index -s "dc=example,dc=com" -t cn
Table 9.8. db2index Options
| Option | Description |
|---|---|
| -n backendInstance | Gives the name of the instance to be reindexed. |
| -s includeSuffix | Gives suffixes to be included or the subtrees to be included if -n has been used. |
| -t attributeName{:indextypes(:mathingrules)} | Names of the attributes to be reindexed. Optionally, this can include the index type (eq, pres, sub, approx) and a matching rule OID. |
| -T vlvAttributeName | Gives the names of the VLV attributes to be reindexed. The name is the VLV index object's common name in cn=config. |
9.3.7. dbmon.sh (Database Monitoring and Entry Cache Usage)
dbmon.sh script enables you to monitor the Directory Server database and entry cache usage. You can use the values the script displays to tune the database, entry and DN cache.
dbmon.sh continuously returns database information until you terminate the script by pressing the Ctrl+C keyboard shortcut.
Syntax
[
INCR=seconds
] [
HOST=host_name
] [
PORT=port_number
] [
BINDDN=bind_DN
] [
BINDPW=bind_password
] [
DBLIST=databases
] [
INDEXLIST=indexes
] [
VERBOSE=level
] dbmon.sh
Options
dbmon.sh script does not take any command-line options. You can specify additional options by using environment variables. For example:
HOST=server.example.com BINDPW=password dbmon.sh
| Option | Parameter | Description |
|---|---|---|
INCR | seconds | Returns output every period set in this option. Default: 1 second |
HOST | host_name | Host name or IP address. Default: localhost |
PORT | port_number | Port number. Default: 389 |
BINDDN | bind_DN | DN used to bind to the directory. The account specified must have read permissions for the cn=config entry and sub entries. Default: cn=Directory Manager |
BINDPW | bind_password | Password for the bind DN. Default: secret |
DBLIST | databases | Space-separated list of databases to check. Enter the list in quotes or escape spaces. Default: all databases |
INDEXLIST | indexes | Space-separated list of indexes to show for every database. Enter the list in quotes or escape spaces. To display all indexes, set the parameter to all. Default: none |
VERBOSE | level |
Sets the output level. Default:
0
Available values:
|
9.3.8. dbverify (Checks for Corrupt Databases)
Important
dbverify when a modify operation is in progress. This command calls the BerkeleyDB utility db_verify and does not perform any locking. This can lead to data corruption if the script is run at the same time as a modify. If that occurs, an entry will be recorded in the error log:
DB ERROR: db_verify: Page 3527: out-of-order key at entry 42 DB ERROR: db_verify: DB->verify: db/mstest2/uid.db4: DB_VERIFY_BAD: Database verification failed Secondary index file uid.db4 in db/mstest2 is corrupted. Please run db2index(.pl) for reindexing.
db2index -t uid to avoid rebuilding all of the indexes or export and reimport all of the databases using db2ldif and ldif2db.
dbverify is a shell script wrapper of verify-db.pl to set the appropriate library path.
dbverify [
-a /path/to/database_directory
]
Table 9.9. dbverify Options
| Option | Description |
|---|---|
| -a path | Gives the path to the database directory. If this option is not passed with the verify-db.pl command, then it uses the default database directory, /var/lib/dirsrv/slapd-instance_name/db. |
9.3.9. ds_removal
ds_removal tool removes a single instance of Directory Server. The server instance usually must be running when this script is run so that the script can bind to the instance. It is also possible to force the script to run, which may be necessary if there was an interrupted installation process or the instance is corrupted or broken so that it cannot run.
cert8.db and key3.db, are not removed, so the remaining instance directory is renamed removed.slapd-instance.
| Option | Parameter | Description |
|---|---|---|
-f | Forces the removal of the instance. This can be useful if the instance is not running but must be removed anyway. | |
-s | instance_name | The name of the instance to remove. |
-w | manager_password | The Directory Manager password to use to bind to the instance. |
9.3.10. ldif2db (Import)
ns-slapd command-line utility with the ldif2db keyword. To run this script, the server must be stopped. Ellipses indicate that multiple occurrences are allowed.
Note
ldif2db supports LDIF version 1 specifications. An attribute can also be loaded using the :< URL specifier notation; for example:
jpegphoto:< file:///tmp/myphoto.jpgAlthough the official notation requires three
///, the use of one / is accepted. For further information on the LDIF format, see the "Managing Directory Entries" chapter in the Red Hat Directory Server Administrator's Guide.
ldif2db [[
-n backendInstance
] | [
[
-s includeSuffix
]
...]] [
-x excludeSuffix
] [
[
-i ldifFile
]
] [
-O
] [
-g string
] [
-G namespaceId
] [
-E
]
Table 9.10. ldif2db Options
| Option | Description |
|---|---|
| -c | Merges chunk size. |
| -E | Encrypts data during import. This option is used only if database encryption is enabled. |
| -g string |
Generates a unique ID. Type
none for no unique ID to be generated and deterministic for the generated unique ID to be name-based.
By default, a time-based unique ID is generated. When using the
deterministic generation to have a name-based unique ID, it is also possible to specify the namespace for the server to use, as follows:
-g deterministic namespace_idnamespace_id is a string of characters in the format 00-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx.
Use this option to import the same LDIF file into two different Directory Servers and the contents of both directories should have the same set of unique IDs. If unique IDs already exist in the LDIF file being imported, then the existing IDs are imported to the server, regardless of the options specified.
|
| -G namespaceId | Generates a namespace ID as a name-based unique ID. This is the same as specifying the -g deterministic option. |
| -i ldifFile | Gives the names of the input LDIF files. When multiple files are imported, they are imported in the order they are specified on the command line. |
| -n backendInstance | Gives the instance to be imported. Ensure that the specified instance corresponds to the suffix contained by the LDIF file; otherwise, the data contained by the database is deleted, and the import fails. |
| -O | Requests that only the core database is created, without attribute indexes. |
| -s includeSuffix | Gives the suffixes to be included or to specify the subtrees to be included if -n has been used. |
| -x excludeSuffix | Gives the suffixes to be excluded. |
9.3.11. ldif2ldap (Performs Import Operation over LDAP)
ldif2ldap [
-D rootdn
] [
-w password
] [
-f filename
]
Table 9.11. ldif2ldap Options
| Option | Description |
|---|---|
| -D rootdn | Gives a user DN with root permissions, such as Directory Manager. |
| -f filename | Gives the name of the file to be imported. When importing multiple files, the files are imported in the order they are specified on the command line. |
| -w password | Gives the password associated with the user DN. |
9.3.12. monitor (Retrieves Monitoring Information)
ldapsearch command-line utility.
monitor
There are no options for this script.
9.3.13. repl-monitor (Monitors Replication Status)
repl-monitor is a shell script wrapper of repl-monitor.pl to set the appropriate library path.
repl-monitor [
-h host
] [
-p port
] [
-f configFile
] [
-u refreshUrl
] [
-t refreshInterval
] [
-r
] [
-v
]
Table 9.12. repl-monitor Options
| Option | Description |
|---|---|
| -h host | Specifies the initial replication supplier's host. The default value is the current host name. |
| -f configFile | Specifies the absolute path to the configuration file, which defines the connection parameters used to connect to LDAP servers to get replication information. For more information about the configuration file, see Configuration File Format. |
| -p port | Specifies the initial replication supplier's port. The default value is 389. |
| -r | If specified, causes the routine to be entered without printing the HTML header information. This is suitable when making multiple calls to this routine — such as specifying multiple, different, unrelated supplier servers — and expecting a single HTML output. |
| -t refreshInterval | Specifies the refresh interval in seconds. The default value is 300 seconds. This option must be used with the -u option. |
| -u refreshUrl | Specifies the refresh URL. The output HTML file may invoke a CGI program periodically. If this CGI program in turn calls this script, the effect is that the output HTML file would automatically refresh itself. This is useful for continuous monitoring. See also the -t option. The script has been integrated into Red Hat Administration Express, so that the replication status can be monitored through a web browser. |
| -v | Prints the version of this script. |
The configuration file defines the following:
- The connection parameters for connecting to the LDAP servers to get replication information; specifying this information is mandatory.
- The server alias for more readable server names; specifying this information is optional.
- The color thresholds for time lags; specifying this information is optional.
[connection] host:port:binddn:bindpwd:bindcert host:port:binddn:bindpwd:bindcert ... [alias] alias = host:port alias = host:port ... [color] lowmark = color lowmark = color
cn=Directory Manager. Simple bind will be used unless bindcert is specified with the path of a certificate database.
host1 share the same binddn and bindpassword, the connection section will need to contain just two entries:
[connection] *:*:binddn:bindpassword: host1:*:binddn1:bindpassword1:
Supplier1, Supplier2, and Hub1, to identify the servers in the replication topology. If used, the output shows these aliases, instead of http(s)://hostname:port.
# character or a connection entry of the format:
host:port:binddn:bindpwd:bindcert
- host, port, and binddn can be replaced with relevant values or
*, or omitted altogether. If host is null or*, the entry may apply to any host that does not have a dedicated entry in the file. If port is null or*, the port will default to the port stored in the current replication agreement. If binddn is null or*, it defaults tocn=Directory Manager. - bindcert can be replaced with the full path to the certificate database, null, or
*. If bindcert is omitted or replaced with*, the connection will be a simple bind.
#Configuration File for Monitoring Replication Via Admin Express [connection] *:*:*:mypassword [alias] M1 = host1.example.com:10011 C1 = host4.example.com:10021 C2 = host2.example.com:10022 [color] 0 = #ccffcc 5 = #FFFFCC 60 = #FFCCCC
host:port=shadowport:binddn:bindpwd:bindcert
9.3.14. pwdhash (Prints Encrypted Passwords)
pwdhash [
-D config_directory
] [
-H
] [[
-s scheme
] | [
-c comparepwd
]] [
password
]
Table 9.13. pwdhash Options
| Option | Description |
|---|---|
| -D config_directory | Gives the full path to the configuration directory. |
| -c password | Gives the hashed password string to which to compare the user's password. |
| -s scheme | Gives the scheme to hash the given password. |
| -H | Shows the help. |
SSHA, SHA, CRYPT, and CLEAR, see the Directory Server Administrator's Guide.
9.3.15. restart-dirsrv (Restarts the Directory Server)
restart-dirsrv [instance_name]
| Option | Description |
|---|---|
| instance_name | A name of a specific Directory Server instance to restart. If the instance name isn't given, then all local Directory Server instances are restarted. |
| Exit Code | Description |
|---|---|
| 0 | Server restarted successfully. |
| 1 | Server could not be started. |
| 2 | Server restarted successfully but was already stopped. |
| 3 | Server could not be stopped. |
9.3.16. restart-ds-admin (Restarts the Admin Server)
restart-ds-admin
There are no options for this script.
9.3.17. restart-slapd (Restarts the Directory Server)
restart-dirsrv and automatically supplies the instance name to the restart-dirsrv script.
restart-slapd
There are no options for this script.
Table 9.14. restart-slapd Exit Status Codes
| Exit Code | Description |
|---|---|
| 0 | Server restarted successfully. |
| 1 | Server could not be started. |
| 2 | Server restarted successfully but was already stopped. |
| 3 | Server could not be stopped. |
9.3.18. restoreconfig (Restores Admin Server Configuration)
NetscapeRoot partition under the /etc/dirsrv/slapd-instance_name/ directory.
- Stop the Directory Server.
- Run the
restoreconfigscript. - Restart the Directory Server.
- Restart the Admin Server for the changes to be taken into account.
restoreconfig
There are no options for this script.
9.3.19. saveconfig (Saves Admin Server Configuration)
/var/lib/dirsrv/slapd-instance_name/bak directory.
saveconfig
There are no options for this script.
9.3.20. start-dirsrv (Starts the Directory Server)
ps command because it could sometimes be that the script returned a message while the startup process was still on-going, resulting in a confusing message.
start-dirsrv [instance_name]
| Option | Description |
|---|---|
| instance_name | A name of a specific Directory Server instance to start. If the instance name isn't given, then all local Directory Server instances are started. |
| Exit Code | Description |
|---|---|
| 0 | Server started successfully. |
| 1 | Server could not be started. |
| 2 | Server was already running. |
9.3.21. start-ds-admin (Starts the Admin Server)
start-ds-admin
There are no options for this script.
9.3.22. start-slapd (Starts the Directory Server)
ps command because it could sometimes be that the script returned a message while the startup process was still on-going, resulting in a confusing message.
start-dirsrv and automatically supplies the instance name to the start-dirsrv script.
start-slapd
There are no options for this script.
Table 9.15. start-slapd Exit Status Codes
| Exit Code | Description |
|---|---|
| 0 | Server started successfully. |
| 1 | Server could not be started. |
| 2 | Server was already started. |
9.3.23. stop-dirsrv (Stops the Directory Server)
ps command because it could sometimes be that the script returned a success message while the shutdown process was still on-going, resulting in a confusing message.
stop-dirsrv [instance_name]
| Option | Description |
|---|---|
| instance_name | A name of a specific Directory Server instance to stop. If the instance name isn't given, then all local Directory Server instances are stopped. |
| Exit Code | Description |
|---|---|
| 0 | Server stopped successfully. |
| 1 | Server could not be stopped. |
| 2 | Server was already stopped. |
9.3.24. stop-ds-admin (Stops the Admin Server)
stop-ds-admin
There are no options for this script.
9.3.25. stop-slapd (Stops the Directory Server)
ps command because it could sometimes be that the script returned a message while the shutdown process was still on-going, resulting in a confusing message.
stop-dirsrv and automatically supplies the instance name to the stop-dirsrv script.
stop-slapd
There are no options for this script.
Table 9.16. stop-slapd Exit Status Codes
| Exit Code | Description |
|---|---|
| 0 | Server stopped successfully. |
| 1 | Server could not be stopped. |
| 2 | Server was already stopped. |
9.3.26. suffix2instance (Maps a Suffix to a Backend Name)
suffix2instance [
-s suffix
]
Table 9.17. suffix2instance Options
| Option | Description |
|---|---|
| -s | Suffix to be mapped to the back end. |
9.3.27. upgradednformat
Note
setup-ds-admin.pl -u when a Directory Server instance is upgraded. It is not likely that this script will need to be run manually.
upgradednformat [
-N
]
-n backendInstance
[
-a /path/to/database/directory
]
Either the -N or both -n and -a must be specified.
Table 9.18. upgradednformat Options
| Option | Description |
|---|---|
| -a /path/to/database/directory | Gives the full path to the database directory. |
| -N | Checks whether any DNs in the database need to be updated. |
| -n backendInstance | Gives the name of the database containing the entries to index. |
9.3.28. vlvindex (Creates Virtual List View Indexes)
vlvindex script, the server must be stopped. The vlvindex script creates virtual list view (VLV) indexes, known in the Directory Server Console as browsing indexes. VLV indexes introduce flexibility in the way search results are viewed. VLV indexes can organize search results alphabetically or in reverse alphabetical order, making it easy to scroll through the list of results. VLV index configuration must already exist prior to running this script.
vlvindex [
-d debugLevel
] [
-n backendInstance
] | [
-s suffix
] [
-T vlvTag
]
Either the -n or the -s option must be specified.
Table 9.19. vlvindex Options
| Option | Description |
|---|---|
| -d debugLevel | Specifies the debug level to use during index creation. Debug levels are defined in Section 3.1.1.55, “nsslapd-errorlog-level (Error Log Level)” |
| -n backendInstance | Gives the name of the database containing the entries to index. |
| -s suffix | Gives the name of the suffix containing the entries to index. |
| -T vlvTag | VLV index identifier to use to create VLV indexes. The Console can specify VLV index identifier for each database supporting the directory tree, as described in the Directory Server Administrator's Guide. Define additional VLV tags by creating them in LDIF and adding them to Directory Server's configuration, as described in the Red Hat Directory Server Administrator's Guide. Red Hat recommends using the DN of the entry for which to accelerate the search sorting. |
9.4. Perl Scripts
9.4.1. bak2db.pl (Restores a Database from Backup)
bak2db.pl
-D rootdn
-w password
|
-w -
|
-j filename
-a backupDirectory
[
-t databaseType
] [
-n backend
]
The script bak2db.pl creates an entry in the directory that launches this dynamic task. The entry is generated based upon the values provided for each option.
Table 9.20. bak2db.pl Options
| Option | Description |
|---|---|
| -a backupDirectory | The directory of the backup files. |
| -D rootdn | Gives the user DN with root permissions, such as Directory Manager. The default is the DN of the Directory Manager, which is read from the nsslapd-root attribute under cn=config. |
| -j filename | The name of the file containing the password. |
| -n backendInstance | Specifies the back end name, such as userRoot, which is being restored. This option is only used for filesystem replica initialization or to restore a single database; it is not necessary to use the -n option to restore the entire directory. |
| -t databaseType | The database type. The only possible database type is ldbm. |
| -w password | The password associated with the user DN. |
| -w - | Prompts for the password associated with the user DN. |
9.4.2. cl-dump.pl (Dumps and Decodes the Changelog)
Note
cl-dump.pl is in the /usr/bin directory.
cl-dump.pl [
-h host
] [
-p port
] [
-D bindDn
] [
-w bindPassword
|
-P bindCert
] [
-r replicaRoots
] [
-o outputFile
] [
-c
]
cl-dump.pl
-i changelogFile
[
-o outputFile
] [
-c
]
Without the -i option, the script must be run when the Directory Server is running from a location from which the server's changelog directory is accessible.
Table 9.21. cl-dump.pl command options
| Option | Description |
|---|---|
| -c | Dumps and interprets change sequence numbers (CSN) only. This option can be used with or without the -i option. |
| -D bindDn | Specifies the Directory Server's bind DN. Defaults to cn=Directory Manager if the option is omitted. |
| -h host | Specifies the Directory Server's host. Defaults to the server where the script is running. |
| -i changelogFile | Specifies the path to the changelog file. If there is a changelog file and if certain changes in that file are base-64 encoded, use this option to decode that changelog. |
| -o outputFile | Specifies the path, including the filename, for the final result. Defaults to STDOUT if omitted. |
| -p port | Specifies the Directory Server's port. The default value is 389. |
| -P bindCert | Specifies the path, including the filename, to the certificate database that contains the certificate used for binding. |
| -r replicaRoots | Specifies the replica-roots whose changelog to dump. When specifying multiple roots, use commas to separate roots. If the option is omitted, all the replica roots will be dumped. |
| -w bindPassword | Specifies the password for the bind DN. |
9.4.3. db2bak.pl (Creates a Backup of a Database)
db2bak.pl
-D rootdn
-w password
|
-w -
|
-j filename
[
-a dirName
] [
-t db_type
]
The script db2bak.pl creates an entry in the directory that launches this dynamic task. The entry is generated based upon the values provided for each option. Currently, the only possible database type is ldbm.
Table 9.22. db2bak.pl Options
| Option | Description |
|---|---|
| -a dirName | The directory where the backup files will be stored. The /var/lib/dirsrv/slapd-instance_name/bak directory is used by default. The backup file is named according to the year-month-day-hour format (YYYY_MM_DD_hhmmss). |
| -D rootdn | The user DN with root permissions, such as Directory Manager. The default is the DN of the Directory Manager, which is read from the nsslapd-root attribute under cn=config. |
| -j filename | The name of the file containing the password. |
| -t | The database type. Currently, the only possible database type is ldbm. |
| -w password | The password associated with the user DN. |
| -w - | Prompts for the password associated with the user DN. |
9.4.4. db2index.pl (Creates and Generates Indexes)
cn=config configuration file.
Note
db2index uses the entryrdn index to order the parent-child entries when it indexes the database to preserve the proper hierarchy of parent and child entries. If the entryrdn index is unavailable for some reason, then db2index uses the parentid key for each entry to identify the parent. This second method allows the index operation to succeed, but the operation may take a long time to complete.
db2index.pl
-D rootdn
-w password
|
-w -
|
-j filename
-n backendInstance
[
-t attributeName(:indextypes(:mathingrules))
] [
-T vlvAttributeName
]
The script db2index.pl creates an entry in the directory that launches this dynamic task. The entry is generated based upon the values provided for each option.
Table 9.23. db2index.pl Options
| Option | Description |
|---|---|
| -D rootdn | Gives the user DN with root permissions, such as Directory Manager. |
| -j filename | The name of the file containing the password. |
| -n backendInstance | Gives the instance to be indexed. If the instance is not specified, the script reindexes all instances. |
| -t attributeName{:indextypes(:mathingrules)} | Gives the name of the attribute to be indexed. If omitted, all the indexes defined for the specified instance are generated. Optionally, this can include the index type (eq, pres, sub, approx) and a matching rule OID. |
| -T vlvAttributeName | Gives the names of the VLV attributes to be reindexed. The name is the VLV index object's common name in cn=config. |
| -w password | Gives the password associated with the user DN. |
| -w - | Prompts for the password associated with the user DN. |
9.4.5. db2ldif.pl (Exports Database Contents to LDIF)
Note
db2ldif.pl uses the entryrdn index to order the parent-child entries when it exports the database; this enables the exported LDIF file to be used for import, since the proper hierarchy of parent and child entries is preserved. If the entryrdn index is unavailable for some reason, then db2ldif.pl uses the parentid key for each entry to identify the parent and export it before the child entry. This second method allows the export operation to succeed, but the operation may take a long time to complete.
db2ldif.pl
-D rootdn
-w password
|
-w -
|
-j filename
-n backendInstance
|
-s includeSuffix ...
[
-x excludeSuffix ...
] [
-a outputFile
] [
-N
] [
-r
] [
-C
] [
-u
] [
-U
] [
-m
] [
-E
] [
-1
] [
M
]
To run this script, the server must be running, and either the -n or -s option is required.
Table 9.24. db2ldif.pl Options
| Option | Description |
|---|---|
| -1 | Deletes, for reasons of backward compatibility, the first line of the LDIF file that gives the version of the LDIF standard. |
| -a outputFile | Gives the filename of the output LDIF file. |
| -C | Uses only the main database file. |
| -D rootdn | Gives the user DN with root permissions, such as Directory Manager. |
| -E | Decrypts encrypted data during export. This option is used only if database encryption is enabled. |
| -j filename | The name of the file containing the password. |
| -m | Sets minimal base-64 encoding. |
| -M | Uses multiple files for storing the output LDIF, with each instance stored in instance filename (where filename is the filename specified for -a option). |
| -n backendInstance | Gives the instance to be exported. |
| -N | Suppresses printing sequential numbers. |
| -r |
Exports the information required to initialize a replica when the LDIF is imported.
The LDIF file which is created with
db2ldif.pl can be imported using ldif2db.pl. When it is imported, if the -r option was used, than the database is automatically initialized as a replica.
See Section 9.4.8, “ldif2db.pl (Import)” for information on importing an LDIF file.
|
| -s includeSuffix | Gives suffixes to be included or the subtrees to be included if -n has been used. |
| -u | Requests that the unique ID is not exported. |
| -U | Requests that the output LDIF is not folded. |
| -w password | Gives the password associated with the user DN. |
| -w - | Prompts for the password associated with the user DN. |
| -x excludeSuffix | Gives suffixes to be excluded. |
9.4.6. fixup-linkedattrs.pl (Regenerate Linked and Managed Attributes)
fixup-linkedattrs.pl script creates the managed attributes in the user entries once the linking plug-in instance is created or updates the managed attributes to keep everything in sync after operations like replication or synchronization.
fixup-linkedattrs.pl
-D rootdn
-w password
|
-w -
|
-j filename
[
-l DN
]
Table 9.25. fixup-linkedattrs.pl Options
| Option | Description |
|---|---|
| -D rootdn | Gives the user DN with root permissions, such as Directory Manager. The default is the DN of the Directory Manager, which is read from the nsslapd-root attribute under cn=config. |
| -j filename | The name of the file containing the password. |
| -l DN | Gives the target DN for which to update the linked attributes. If this is not set, then the default is to update all linked and managed attributes for the entire subtree or directory tree. |
| -w password | The password associated with the user DN. |
| -w - | Prompts for the password associated with the user DN. |
9.4.7. fixup-memberof.pl (Regenerate memberOf Attributes)
memberOf on user entries to coordinate changes in group membership.
fixup-memberof.pl
-D rootdn
-w password
|
-w -
|
-j filename
-b baseDN
[
-f filter
]
Table 9.26. fixup-memberof.pl Options
| Option | Description |
|---|---|
| -b baseDN | The DN of the subtree containing the entries to update. |
| -D rootdn | Gives the user DN with root permissions, such as Directory Manager. The default is the DN of the Directory Manager, which is read from the nsslapd-root attribute under cn=config. |
| -f filter | An LDAP query filter to use to select the entries within the subtree to update. If there is no filter set, then the default filter is objectclass=inetorgperson, and every entry belonging to that object class within the subtree is updated. |
| -j filename | The name of the file containing the password. |
| -w password | The password associated with the user DN. |
| -w - | Prompts for the password associated with the user DN. |
9.4.8. ldif2db.pl (Import)
ldif2db.pl
-D rootdn
-w password
|
-w -
|
-j filename
-n backendInstance
|
-s includeSuffix
[
-x excludeSuffix
] [
-O
] [
-c
] [
-g string
] [
-G namespaceId
] [
-i filename
] [
-E
]
Table 9.27. ldif2db.pl Options
| Option | Description |
|---|---|
| -c | Merges chunk size. |
| -D rootdn | Specifies the user DN with root permissions, such as Directory Manager. |
| -E | Decrypts encrypted data during export. This option is used only if database encryption is enabled. |
| -g string |
Generates a unique ID. Type
none for no unique ID to be generated and deterministic for the generated unique ID to be name-based. By default, a time-based unique ID is generated.
When using the
deterministic generation to have a name-based unique ID, it is also possible to specify the namespace for the server to use, as follows:
-g deterministic namespaceIdnamespaceId is a string of characters in the format 00-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx.
Use this option to import the same LDIF file into two different Directory Servers and the contents of both directories should have the same set of unique IDs. If unique IDs already exist in the LDIF file being imported, then the existing IDs are imported to the server, regardless of the options specified.
|
| -G namespaceId | Generates a namespace ID as a name-based unique ID. This is the same as specifying the -g deterministic option. |
| -i filename | Specifies the filename of the input LDIF files. When multiple files are imported, they are imported in the order they are specified on the command line. |
| -j filename | Specifies the path, including the filename, to the file that contains the password associated with the user DN. |
| -n backendInstance | Specifies the instance to be imported. |
| -O | Requests that only the core database is created without attribute indexes. |
| -s includeSuffix | Specifies the suffixes to be included or specifies the subtrees to be included if -n has been used. |
| -w password | Specifies the password associated with the user DN. |
| -w - | Prompts for the password associated with the user DN. |
| -x excludeSuffix | Specifies the suffixes to be excluded. |
9.4.9. logconv.pl (Log Converter)
Note
logconv.pl is in the /usr/bin directory.
Table 9.28. Information Extracted from Access Logs
|
|
logconv.pl tool displays two types of statistics useful for monitoring and optimizing directory usage:
- Simple counts of events such as the total number of binds, connections separated by SSL and TLS protocol versions, and the number of searches provide overall usage information. This is the basic information that the tool will always print.
- Lists of the most frequently occurring parameters in LDAP requests provide insight into how the directory information is being accessed. For example, lists of the top ten bind DNs, base DNs, filter strings, and attributes returned can help administrators optimize the directory for its users. These lists are optional because they are computation intensive: specify only the command-line options required (see Options).
logconv.pl script is available only in logs from current releases of Directory Server; the corresponding values will be zero when analyzing logs from older versions. In addition, some information will only be present in the logs if verbose logging is enabled in the Directory Server. For more information, see Section 3.1.1.2, “nsslapd-accesslog-level (Access Log Level)”.
- Some data extracted from logs depend on connection and operation numbers that are reset and no longer unique after a server restarts. Therefore, to obtain the most accurate counts, the logs to be analyzed should not span the restart of the Directory Server.
- Due to changes in access log format in current releases of Directory Server that affected operation numbers, the tool will be more accurate logs from current versions when processing large amounts of access logs.
- For performance reasons, it is not recommended to run more than one gigabyte of access logs through the script at any one time.
logconv.pl [
-S startTimestamp
] [
-E endTimestamp
] [
-d mgrDN
] [
-D tmp_directory
] [
-X ipAddress
] [
-m
] [
-M
] [
-h
] [
-s size_limit
] [
-V
] [
-efcibaltnxgjuyp
] [
accessLog
]
Table 9.29. logconv.pl Options
| Option | Description |
|---|---|
| -d mgrDN | Specifies the distinguished name (DN) of the Directory Manger in the logs being analyzed. This allows the tool to collect statistics for this special user. The mgrDN parameter should be given in double quotes ("") for the shell. When this parameter is omitted, logconv.pl will use the default manager DN of the Directory Server, "cn=Directory Manager". |
| -D tmp_directory | Sets the location of the directory to store temporary data. The default is /tmp. For performance improvements, you can set this path to a RAM disk. |
| -E endTimestamp | Specifies the end timestamp; the timestamp must follow the exact format as specified in the access log. |
| -h | Displays the usage help text that briefly describes all options. |
| -M | Charts per-minute statistics for access within the specified time period. This is useful for charting peaks and troughs in usage patterns. |
| -m | Charts per-second statistics for access within the specified time period. This is useful for charting peaks and troughs in usage patterns. |
| -s number | Specifies the number of items in each of the list options below. The default is 20 when this parameter is omitted. For example, -s 10 -i will list the ten client machines that access the Directory Server most often. This parameter will apply to all lists that are enabled, and it will have no effect if none are displayed. |
| -S startTimestamp | Specifies the start timestamp; the timestamp must follow the exact format as specified in the access log. |
| -V | Enables verbose output. With this option, logconv.pl will compute and display all of the optional lists described in Table 9.30, “logconv.pl Options to Display Occurrences” |
| -X ipAddress | Specifies the IP address of a client to exclude from the statistics. This client will not appear in lists of IP addresses (the i flag), and the connection codes it generates will not be tallied in the total connections (default statistic) nor in the connection code details (the c flag). For example, an administrator may want the server to ignore the effect of a load balancer that connects to the Directory Server at regular intervals. This option may be repeated to exclude multiple IP addresses. |
| accessLog | The name of a file that contains the access log of the Directory Server. You can specify multiple files or use wildcard characters. Additionally, the logconv.pl scripts supports compressed files and tar archives based on the file extension, such as .bz2 or .tar.gz. The statistics are computed over the set of all logs, so all logs should pertain to the same Directory Server. The tool ignores any file with the name access.rotationinfo. |
-abcefg.
Table 9.30. logconv.pl Options to Display Occurrences
| Option | Description |
|---|---|
| e | Lists the most frequent error and return codes. |
| f | Lists the bind DNs with the most failed logins (invalid password). |
| c | Lists the number of occurrences for each type of connection code. |
| i | Lists the IP addresses and connection codes of the clients with the most connections, which detects clients that may be trying to compromise security. |
| b | Lists the most frequently used bind DNs. |
| a | Lists the most frequent base DNs when performing operations. |
| l | Lists the most frequently used filter strings for searches. |
| t | Lists the longest and most frequent etimes (elapsed operation time). |
| n | Lists the largest and most frequent nentries (entries per result). |
| x | Lists the number and OID of all extended operations. |
| r | Lists the names of the most requested attributes. |
| g | Lists the details of all abandoned operations. |
| j | Gives recommendations based on data collected from the log file. |
| u | Gives operation details about unindexed searches. |
| y | Lists connection latency details, which indicates the overall connection latency. |
| p | Lists open connection ID statistics, which indicates the FDs that are not yet closed. |
9.4.10. migrate-ds.pl
Warning
migrate-ds.pl script is used to migrate a Directory Server 7.1 instance. Migration can happen between instances on on the same machine, on different machines, or on different platforms. This script only migrates a Directory Server instance, not an Admin Server.
setup-ds-admin.pl for the Directory Server 8.2 instance before running the migration script if you are migrating from a 7.1 server.
.inf file, same as the setup scripts. Both the .inf parameters and command-line arguments are described in the silent configuration section of the Installation Guide.
migrate-ds.pl
--oldsroot=server_directory
[
--actualsroot=server_directory
] [
--instance=instance_name
] [
--file=name
] [
--cross
] [
--debug
] [
--log=name
]
General.ConfigDirectoryAdminPwd=password
| Option | Alternate Options | Description |
|---|---|---|
| General.ConfigDirectoryAdminPwd=password | Required. This is the password for the configuration directory administrator of the old Directory Server (the default user name is admin). | |
| --oldsroot | -o | Required. This is the path to the server root directory in the old 7.1 Directory Server installation. The default path in 7.1 servers is /opt/redhat-ds/. |
| --actualsroot | -a | This is used for migrating between two machines to specify the real path to the current server root directory in the old 7.1 Directory Server installation if that directory is mounted on a networked drive or tarballed and moved to a relative directory. In that case, the oldsroot parameter sets the directory from which the migration is run (such as machine_new:/migrate/opt/redhat-ds/), while the actualsroot parameter sets the server root, (/opt/redhat-ds/). |
| --instance | -i | This parameter specifies a specific instance to migrate. This parameter can be used multiple time to migrate several instances simultaneously. By default, the migration script migrates all Directory Server instances on the machine. |
| --file=name | -f name | This sets the path and name of the .inf file provided with the migration script. The only parameter is the General.ConfigDirectoryAdminPwd parameter, which is the configuration directory administrator's password. Any other configuration setting is ignored by the migration script. |
| --cross | -c or -x | This parameter is used when the Directory Server is being migrated from one machine to another with a different architecture. For cross-platform migrations, only certain data are migrated. This migration action takes database information exported to LDIF and imports into the 8.2 databases. Changelog information is not migrated. If a supplier or hub is migrated, then all its replicas must be reinitialized. |
| --debug | -d[dddd] | This parameter turns on debugging information. For the -d flag, increasing the number of d's increases the debug level. |
| --logfile name | -l |
This parameter specifies a log file to which to write the output. If this is not set, then the migration information is written to a temporary file, named
/tmp/migrateXXXXX.log.
To disable logging, set
/dev/null as the logfile.
|
9.4.11. migrate-ds-admin.pl
Warning
migrate-ds-admin.pl script is used to migrate a Directory Server 7.1 instance. Migration can happen between instances on on the same machine, on different machines, or on different platforms. This script migrates both the Directory Server instances and the Admin Server for the 7.1 deployment.
setup-ds-admin.pl for the Directory Server 8.2 instance before running the migration script if you are migrating from a 7.1 server.
.inf file, same as the setup scripts. Both the .inf parameters and command-line arguments are described in the silent configuration section of the Installation Guide.
migrate-ds-admin.pl
--oldsroot=server_directory
[
--actualsroot=server_directory
] [
--instance=instance_name
] [
--file=name
] [
--cross
] [
--debug
] [
--log=name
]
General.ConfigDirectoryAdminPwd=password
| Option | Alternate Options | Description |
|---|---|---|
| General.ConfigDirectoryAdminPwd=password | Required. This is the password for the configuration directory administrator of the old Directory Server (the default user name is admin). | |
| --oldsroot | -o | Required. This is the path to the server root directory in the old 7.1 Directory Server installation. The default path in 7.1 servers is /opt/redhat-ds/. |
| --actualsroot | -a | This is used for migrating between two machines to specify the real path to the current server root directory in the old 7.1 Directory Server installation if that directory is mounted on a networked drive or tarballed and moved to a relative directory. In that case, the oldsroot parameter sets the directory from which the migration is run (such as machine_new:/migrate/opt/redhat-ds/), while the actualsroot parameter sets the server root, (/opt/redhat-ds/). |
| --instance | -i | This parameter specifies a specific instance to migrate. This parameter can be used multiple time to migrate several instances simultaneously. By default, the migration script migrates all Directory Server instances on the machine. |
| --file=name | -f name | This sets the path and name of the .inf file provided with the migration script. The only parameter is the General.ConfigDirectoryAdminPwd parameter, which is the configuration directory administrator's password. Any other configuration setting is ignored by the migration script. |
| --cross | -c or -x | This parameter is used when the Directory Server is being migrated from one machine to another with a different architecture. For cross-platform migrations, only certain data are migrated. This migration action takes database information exported to LDIF and imports into the 8.2 databases. Changelog information is not migrated. If a supplier or hub is migrated, then all its replicas must be reinitialized. |
| --debug | -d[dddd] | This parameter turns on debugging information. For the -d flag, increasing the number of d's increases the debug level. |
| --logfile name | -l |
This parameter specifies a log file to which to write the output. If this is not set, then the migration information is written to a temporary file, named
/tmp/migrateXXXXX.log.
To disable logging, set
/dev/null as the logfile.
|
9.4.12. ns-accountstatus.pl (Establishes Account Status)
ns-accountstatus.pl [
-D rootdn
] [
-w password
|
-w -
|
-j filename
] [
-p port
] [
-h host
]
-I DN
[
-?
]
Table 9.31. ns-accountstatus.pl Options
| Option | Description |
|---|---|
| -D rootdn | Specifies the Directory Server user DN with root permissions, such as Directory Manager. |
| -h host | Specifies the host name of the Directory Server. The default value is the full host name of the machine where Directory Server is installed. |
| -I DN | Specifies the entry DN or role DN whose status is required. |
| -j filename | Specifies the path, including the filename, to the file that contains the password associated with the user DN. |
| -p port | Specifies the Directory Server's port. The default value is the LDAP port of Directory Server specified at installation time. |
| -w password | Specifies the password associated with the user DN. |
| -w - | Prompts for the password associated with the user DN. |
| -? | Opens the help page. |
9.4.13. ns-activate.pl (Activates an Entry or Group of Entries)
ns-activate.pl [
-D rootdn
] [
-w password
|
-w -
|
-j filename
] [
-p port
] [
-h host
]
-I DN
[
-?
]
Table 9.32. ns-activate.pl Options
| Option | Description |
|---|---|
| -D rootdn | Specifies the Directory Server user DN with root permissions, such as Directory Manager. |
| -h host | Specifies the host name of the Directory Server. The default value is the full host name of the machine where Directory Server is installed. |
| -I DN | Specifies the entry DN or role DN to activate. |
| -j filename | Specifies the path, including the filename, to the file that contains the password associated with the user DN. |
| -p port | Specifies the Directory Server's port. The default value is the LDAP port of Directory Server specified at installation time. |
| -w password | Specifies the password associated with the user DN. |
| -w - | Prompts for the password associated with the user DN. |
| -? | Opens the help page. |
9.4.14. ns-inactivate.pl (Inactivates an Entry or Group of Entries)
ns-inactivate.pl [
-D rootdn
] [
-w password
|
-w -
|
-j filename
] [
-p port
] [
-h host
]
-I DN
[
-?
]
Table 9.33. ns-inactivate.pl Options
| Option | Description |
|---|---|
| -D rootdn | Specifies the Directory Server user DN with root permissions, such as Directory Manager. |
| -h host | Specifies the host name of the Directory Server. The default value is the full host name of the machine where Directory Server is installed. |
| -I DN | Specifies the entry DN or role DN to deactivate. |
| -j filename | Specifies the path, including the filename, to the file that contains the password associated with the user DN. |
| -p port | Specifies the Directory Server's port. The default value is the LDAP port of Directory Server specified at installation time. |
| -w password | Specifies the password associated with the user DN. |
| -w - | Prompts for the password associated with the user DN. |
| -? | Opens the help page. |
9.4.15. ns-newpwpolicy.pl (Adds Attributes for Fine-Grained Password Policy)
ns-newpwpolicy.pl [
-D rootdn
] [
-w password
|
-j filename
] [
-p port
] [
-h host
]
-U userDN
-S suffixDN
[
-?
]
Table 9.34. ns-newpwdpolicy.pl Options
| Option | Description |
|---|---|
| -D rootdn | Specifies the Directory Server user DN with root permissions, such as Directory Manager. The default value is cn=directory manager. |
| -h host | Specifies the host name of the Directory Server. The default value is localhost or the full host name of the machine where Directory Server is installed. |
| -j filename | Specifies the path, including the filename, to the file that contains the password associated with the user DN. |
| -p port | Specifies the Directory Server's port. The default value is 389 or the LDAP port of Directory Server specified at installation time. |
| -S suffixDN | Specifies the DN of the suffix entry that needs to be updated with subtree-level password policy attributes. |
| -U userDN | Specifies the DN of the user entry that needs to be updated with user-level password policy attributes. |
| -w password | Specifies the password associated with the user DN. |
| -? | Opens the help page. |
9.4.16. register-ds-admin.pl
register-ds-admin.pl script can be used for two things:
- Registering an existing Directory Server instance with a different Admin Server or Configuration Directory Server.
- Creating a new, local Admin Server when only a Directory Server was installed previously.
Important
register-ds-admin.pl script does not support external LDAP URLs, so the Directory Server instance must be registered against a local Admin Server.
| Option | Alternate Options | Description |
|---|---|---|
| --debug | -d[dddd] | This parameter turns on debugging information. For the -d flag, increasing the number of d's increases the debug level. |
| --logfile name | -l | This parameter specifies a log file to which to write the output. If this is not set, then the setup information is written to a temporary file. To not use a log file, set the file name to /dev/null. |
9.4.17. remove-ds.pl
remove-ds.pl script removes a single instance of Directory Server. The server instance usually must be running when this script is run so that the script can bind to the instance. It is also possible to force the script to run, which may be necessary if there was an interrupted installation process or the instance is corrupted or broken so that it cannot run.
cert8.db and key3.db, are not removed, so the remaining instance directory is renamed slapd-instance.removed.
| Option | Parameter | Description |
|---|---|---|
-a | Removes the certificate database files and the backup directory of the configuration files (slapd-instance.removed) as part of the removal procedure. | |
-f | Forces the removal of the instance. This can be useful if the instance is not running but must be removed anyway. | |
-i | instance_name | The name of the instance to remove. |
9.4.18. remove-ds-admin.pl
remove-ds-admin.pl script removes every instance of Directory Server on a system and the associated Admin Server. The server instances usually must be running when this script is run so that the script can bind to the instances.
When a Directory Server instance is removed, it is shut down and all of its configuration files are removed.
cert8.db and key3.db, are not removed. The remaining Directory Server instance directory (containing the security databases) is renamed slapd-instance.removed. Using the -a option with the script removes the security databases as well.
When an Admin Server instance is removed, it is shut down and most of its configuration files are removed.
nss.conf file for the Admin Server instance is preserved in an archvied instance directory.
cert8.db and key3.db, are not removed and are preserved in an archived instance directory. Using the -a option with the script removes the security databases for the Admin Server (as well as the Directory Server).
| Option | Description |
|---|---|
-a | Removes the certificate database files as part of the removal procedure and reverts the configuration files back to their initial state. |
-f | Forces the removal of the instance. This can be useful if the instance is not running but must be removed anyway. |
-y | Performs the removal operation. This is required; otherwise, the script essential performs a dry-run and does not remove any Admin Server or Directory Server instances. |
9.4.19. repl-monitor.pl (Monitors Replication Status)
Note
repl-monitor.pl is in the /usr/bin directory.
repl-monitor.pl [
-h host
] [
-p port
] [
-f configFile
] [
-u refreshUrl
] [
-t refreshInterval
] [
-r
]
Table 9.35. repl-monitor.pl Options
| Option | Description |
|---|---|
| -f configFile | Specifies the absolute path to the configuration file, which defines the connection parameters used to connect to LDAP servers to get replication information. For more information about the configuration file, see Configuration File Format. |
| -h host | Specifies the initial replication supplier's host. The default value is the current host name. |
| -p port | Specifies the initial replication supplier's port. The default value is 389. |
| -r | If specified, causes the routine to be entered without printing the HTML header information. This is suitable when making multiple calls to this routine — such as specifying multiple, different, unrelated supplier servers — and expecting a single HTML output. |
| -t refreshInterval | Specifies the refresh interval in seconds. The default value is 300 seconds. This option must be used with the -u option. |
| -u refreshUrl | Specifies the refresh URL. The output HTML file may invoke a CGI program periodically. If this CGI program in turn calls this script, the effect is that the output HTML file would automatically refresh itself. This is useful for continuous monitoring. See also the -t option. The script has been integrated into Red Hat Administration Express, so that the replication status can be monitored through a web browser. |
The configuration file defines the following:
- The connection parameters for connecting to the LDAP servers to get replication information; specifying this information is mandatory.
- The server alias for more readable server names; specifying this information is optional.
- The color thresholds for time lags; specifying this information is optional.
[connection] host:port:binddn:bindpwd:bindcert host:port:binddn:bindpwd:bindcert ... [alias] alias = host:port alias = host:port ... [color] lowmark = color lowmark = color
cn=Directory Manager. Simple bind will be used unless bindcert is specified with the path of a certificate database.
host1 share the same binddn and bindpassword, the connection section will need to contain just two entries:
[connection] *:*:binddn:bindpassword: host1:*:binddn1:bindpassword1:
Supplier1, Supplier2, and Hub1, to identify the servers in the replication topology. If used, the output shows these aliases, instead of http(s)://hostname:port.
# character or a connection entry of the following format:
host:port:binddn:bindpwd:bindcert
- host, port, and binddn can be replaced with relevant values or
*, or omitted altogether. If host is null or*, the entry may apply to any host that does not have a dedicated entry in the file. If port is null or*, the port will default to the port stored in the current replication agreement. If binddn is null or*, it defaults tocn=Directory Manager. - bindcert can be replaced with the full path to the certificate database, null, or
*. If bindcert is omitted or replaced with*, the connection will be a simple bind.
#Configuration File for Monitoring Replication Via Admin Express [connection] *:*:*:mypassword [alias] M1 = host1.example.com:10011 C1 = host4.example.com:10021 C2 = host2.example.com:10022 [color] 0 = #ccffcc 5 = #FFFFCC 60 = #FFCCCC
host:port=shadowport:binddn:bindpwd:bindcert
9.4.20. schema-reload.pl (Reload Schema Files Dynamically)
schema-reload.pl
-D rootdn
-w password
|
-w -
|
-j filename
[
-d schema_directory
]
Table 9.36. schema-reload.pl Options
| Option | Description |
|---|---|
| -d schema_directory | Gives the full path to the directory where the schema file is located. If this is not specified, the script uses the default schema directory, /etc/dirsrv/schema.
Important
If schema files are not in the default directory, then Directory Server will not use them the next time it restarts unless schema-reload.pl is run again.
|
| -D rootdn | Gives the user DN with root permissions, such as Directory Manager. The default is the DN of the Directory Manager, which is read from the nsslapd-root attribute under cn=config. |
| -j filename | The name of the file containing the password. |
| -w password | The password associated with the user DN. |
| -w - | Prompts for the password associated with the user DN. |
9.4.21. setup-ds.pl
setup-ds.pl script is used to create a Directory Server instance. Running this script with the -u option after the instances are configured updates the configuration with the latest installed packages.
Note
.inf file. If no options are used, the setup-ds.pl launches an interactive configuration program.
.inf parameters and command-line arguments are described in the silent configuration section of the Installation Guide.
setup-ds.pl [
--debug
] [
--silent
] [
--file=name
] [
--keepcache
] [
--log=name
] [
--update
]
| Option | Alternate Options | Description |
|---|---|---|
| --silent | -s | This runs the register script in silent mode, drawing the configuration information from a file (set with the --file parameter) or from arguments passed in the command line rather than interactively. |
| --file=name | -f name |
This sets the path and name of the file which contains the configuration settings for the new Directory Server instance. This can be used with the
--silent parameter; if used alone, it sets the default values for the setup prompts.
|
| --debug | -d[dddd] | This parameter turns on debugging information. For the -d flag, increasing the number of d's increases the debug level. |
| --keepcache | -k | This saves the temporary installation file (.inf) that is created when the register script is run. This file can then be reused for a silent setup. This file is always generated, but is usually deleted once the install is complete. The file is created as a log file named /tmp/setuprandom.inf, like /tmp/setuplGCZ8H.inf.
Warning
The cache file contains the cleartext passwords supplied during setup. Use appropriate caution and protection with this file.
|
| --logfile name | -l | This parameter specifies a log file to which to write the output. If this is not set, then the setup information is written to a temporary file. To not use a log file, set the file name to /dev/null. |
| --update | -u | This parameter updates existing Directory Server instances. If an installation is broken in some way, this option can be used to update or replace missing packages and then re-register all of the local instances with the Configuration Directory. |
9.4.22. setup-ds-admin.pl
setup-ds-admin.pl script is used to create a Directory Server instance and a new Admin Server instance. Running this script with the -u option after the instances are configured updates the configuration with the latest installed packages.
.inf file. If no options are used, the setup-ds-admin.pl launches an interactive configuration program.
.inf parameters and command-line arguments are described in the silent configuration section of the Installation Guide.
setup-ds-admin.pl [
--debug
] [
--silent
] [
--file=name
] [
--keepcache
] [
--log=name
] [
--update
]
| Option | Alternate Options | Description |
|---|---|---|
| --silent | -s | This runs the register script in silent mode, drawing the configuration information from a file (set with the --file parameter) or from arguments passed in the command line rather than interactively. |
| --file=name | -f name |
This sets the path and name of the file which contains the configuration settings for the new Directory Server instance. This can be used with the
--silent parameter; if used alone, it sets the default values for the setup prompts.
|
| --debug | -d[dddd] | This parameter turns on debugging information. For the -d flag, increasing the number of d's increases the debug level. |
| --keepcache | -k | This saves the temporary installation file (.inf) that is created when the register script is run. This file can then be reused for a silent setup. This file is always generated, but is usually deleted once the install is complete. The file is created as a log file named /tmp/setuprandom.inf, like /tmp/setuplGCZ8H.inf.
Warning
The cache file contains the cleartext passwords supplied during setup. Use appropriate caution and protection with this file.
|
| --logfile name | -l | This parameter specifies a log file to which to write the output. If this is not set, then the setup information is written to a temporary file. To not use a log file, set the file name to /dev/null. |
| --update | -u | This parameter updates existing Directory Server instances. If an installation is broken in some way, this option can be used to update or replace missing packages and then re-register all of the local instances with the Configuration Directory. |
9.4.23. syntax-validate.pl (Validate Attribute Values)
-b option) and, optionally, only entries which match a specified filter (in the -f option).
syntax-validate.pl
-D rootdn
-w password
|
-w -
|
-j filename
-b baseDN
[
-f LDAP_filter
]
Table 9.37. syntax-validate.pl Options
| Option | Description |
|---|---|
| -b baseDN | Gives the base DN for the entries to validate. |
| -D rootdn | Gives the user DN with root permissions, such as Directory Manager or whatever the value of the nsslapd-root attribute is under cn=config. |
| -f LDAP_filter | Contains a search filter to use to select a subset of entries to validate. If this is not given, then all entries under the base DN are checked. |
| -j filename | The name of the file containing the password. |
| -w password | The password associated with the user DN. |
| -w - | Prompts for the password associated with the user DN. |
9.4.24. usn-tombstone-cleanup.pl (Remove Deleted Entries)
entryUSN operational attribute. This USN is set even when an entry is deleted, and the tombstone entries are maintained by the Directory Server instance.
usn-tombstone-cleanup.pl script deletes the tombstone entries maintained by the instance if the USN Plug-in is enabled.
Important
usn-tombstone-cleanup.pl on a replicated back end will return this error in the command line:
ldap_add: DSA is unwilling to perform
[...] usn-plugin - Suffix dc=example,dc=com is replicated. Unwilling to perform cleaning up tombstones.
usn-tombstone-cleanup.pl
-D rootdn
-w password
|
-w -
|
-j filename
-n backendInstance
|
-s suffix
[
-m maximum_USN
]
Either the -n or the -s option must be specified.
Table 9.38. usn-tombstone-cleanup.pl Options
| Option | Description |
|---|---|
| -D rootdn | Gives the user DN with root permissions, such as Directory Manager. The default is the DN of the Directory Manager, which is read from the nsslapd-root attribute under cn=config. |
| -j filename | The name of the file containing the password. |
| -m maximum_USN | Sets the upper bound for entries to delete. All tombstone entries with an entryUSN value up to the specified maximum (inclusive) are deleted, but not past that USN value. If no maximum USN value is set, then all back end tombstone entries are deleted. |
| -n backendInstance | Gives the name of the database containing the entries to clean (delete). |
| -s suffix | Gives the name of the suffix containing the entries to clean (delete). |
| -w password | The password associated with the user DN. |
| -w - | Prompts for the password associated with the user DN. |
9.4.25. verify-db.pl (Check for Corrupt Databases)
Important
verify-db.pl when a modify operation is in progress. This command calls the BerkeleyDB utility db_verify and does not perform any locking. This can lead to data corruption if the script is run at the same time as a modify. If that occurs, an entry will be recorded in the error log:
DB ERROR: db_verify: Page 3527: out-of-order key at entry 42 DB ERROR: db_verify: DB->verify: db/mstest2/uid.db4: DB_VERIFY_BAD: Database verification failed Secondary index file uid.db4 in db/mstest2 is corrupted. Please run db2index(.pl) for reindexing.
db2index -t uid to avoid rebuilding all of the indexes or export and reimport all of the databases using db2ldif and ldif2db.
verify-db.pl [
-a /path/to/database_directory
] [
-?
]
Table 9.39. verify-db.pl Options
| Option | Description |
|---|---|
| -a path | Gives the path to the database directory. If this option is not passed with the verify-db.pl command, then it uses the default database directory, /var/lib/dirsrv/slapd-instance_name/db. |
| -? | Opens the help page. |
Appendix A. Using the ns-slapd Command-Line Utilities
ns-slapd command-line utilities that can be used to perform the same tasks.
ns-slapd command-line utilities all perform server administration tasks, and, while it can be argued that they allow a greater degree of flexibility for users, Red Hat recommends using the command-line scripts described in Chapter 9, Command-Line Scripts
A.1. Overview of ns-slapd
ns-slapd is used to start the Directory Server process, to build a directory database from an LDIF file, or to convert an existing database to an LDIF file. For more information on starting and stopping the Directory Server, importing from LDIF using the command-line, and exporting to LDIF using the command-line, refer to the "Populating Directory Databases" chapter in the Red Hat Directory Server Administrator's Guide.
A.2. Finding and Executing the ns-slapd Command-Line Utilities
ns-slapd command-line utilities are stored in /etc/dirsrv/slapd-instance_name
Note
A.3. Utilities for Exporting Databases: db2ldif
ns-slapd db2ldif
-D configDir
-a outputFile
[
-d debugLevel
] [
-n backendInstance
] [
-r
] [
-s includeSuffix
] [
-x excludeSuffix
] [
-N
] [
-u
] [
-U
] [
-m
] [
-M
] [
-E
]
/etc/dirsrv/slapd-instance_name. Either the -n or the -s option must be specified.
Table A.1. db2ldif Options
| Option | Description |
|---|---|
| -a outputFile | Defines the output file in which the server saves the exported LDIF. This file is stored by default in the directory where the command-line utility resides. |
| -d debugLevel | Specifies the debug level to use during the db2ldif runtime. For further information, refer to Section 3.1.1.55, “nsslapd-errorlog-level (Error Log Level)”. |
| -D configDir | Specifies the location of the server configuration directory that contains the configuration information for the export process. This must be the full path to the configuration directory, /etc/dirsrv/slapd-instance_name. |
| -E | Decrypts an encrypted database during export. This option is used only if database encryption is enabled. |
| -m | Sets minimal base-64 encoding. |
| -M | Uses several files to store the output LDIF, with each instance stored in instance filename, where filename is the filename specified in option -a. |
| -n backendInstance | Specifies the name of the back end instance to be exported. |
| -N | Specifies that entry IDs are not to be included in the LDIF output. The entry IDs are necessary only if the db2ldif output is to be used as input to db2index. |
| -r | Exports replication state information. The server must be shut down before exporting using this option. |
| -s includeSuffix | Specifies the suffix or suffixes to include in the export. There can be multiple -s arguments. |
| -u | Specifies that the unique ID will not be included in the LDIF output. By default, the server includes the unique ID for all entries with a unique ID in the exported LDIF file. Only use this option to use the exported LDIF to initialize a 4.x consumer server; otherwise, this option does not cause the server to create a unique ID for entries but simply takes what already exists in the database. |
| -U | Outputs the contents of the database without wrapping lines. |
| -x excludeSuffix | Specifies a suffix or suffixes to exclude in the export. There can be multiple -x arguments. If neither -s or -x is not specified, the server exports all suffixes within the database. When using both -x and -s options with the same suffix, the -x operation takes precedence. Exclusion always takes precedence over inclusion. If the LDIF file will be imported into the configuration directory, do not exclude o=NetscapeRoot. |
A.4. Utilities for Restoring and Backing up Databases: ldif2db
ns-slapd ldif2db
-D configDir
-i ldifFile
[
-d debugLevel
] [
-g string
] [
-n backendInstance
] [
-O
] [
-s includeSuffix
] [
-x excludeSuffix
] [
-E
]
/var/lib/dirsrv/slapd-instance_name/ldif directory. Either the -n or the -s option must be specified.
Table A.2. ldif2db Options
| Option | Description |
|---|---|
| -d debugLevel | Specifies the debug level to use during runtime. For further information, refer to Section 3.1.1.55, “nsslapd-errorlog-level (Error Log Level)”. |
| -D configDir | Specifies the location of the server configuration directory that contains the configuration information for the import process. This must be the full path to the configuration directory, /etc/dirsrv/slapd-instance_name. |
| -E | Decrypts an encrypted database during export. This option is used only if database encryption is enabled. |
| -g string |
Generates a unique ID. Type
none for no unique ID to be generated and deterministic for the generated unique ID to be name-based. By default, a time-based unique ID is generated.
When using the
deterministic generation to have a name-based unique ID, it is also possible to specify the namespace for the server to use, as follows:
-g deterministic namespaceIdnamespaceId is a string of characters in the format 00-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx.
Use this option to import the same LDIF file into two different Directory Servers and the contents of both directories should have the same set of unique IDs. If unique IDs already exist in the LDIF file being imported, then the existing IDs are imported to the server, regardless of the options specified.
|
| -i ldifFile | Specifies the LDIF file to be imported. This option is required. There can be multiple -i arguments to import more than one LDIF file at a time. When importing multiple files, the server imports the LDIF files in the order they are specified on the command line. |
| -n backendInstance | Specifies the name of the back end to be imported. |
| -O | Specifies that no attribute indexes are created for the imported database. If this option is specified and the indexes need to be restored later, the indexes have to be recreated by hand. See the Directory Server Administrator's Guide for further information. |
| -s includeSuffix | Specifies the suffix or suffixes within the LDIF file to import. |
| -x excludeSuffix | Specifies suffixes within the LDIF file to exclude during the import. There can be multiple -x arguments. This option can selectively import portions of the LDIF file. If both -x and -s are used with the same suffix, -x takes precedence. Exclusion always takes precedence over inclusion. If -x or -s are not specified, then all available suffixes will be imported from the LDIF file. To import the LDIF file into the configuration directory, do not exclude o=NetscapeRoot. |
A.5. Utilities for Restoring and Backing up Databases: archive2db
ns-slapd archive2db
-D configDir
-a archiveDir
Table A.3. archive2db Options
| Option | Description |
|---|---|
| -D configDir | Specifies the location of the server configuration directory that contains the configuration information for the index creation process. This must be the full path to the configuration directory, /etc/dirsrv/slapd-instance_name. |
| -a archiveDir | Specifies the archive directory. |
A.6. Utilities for Restoring and Backing up Databases: db2archive
ns-slapd db2archive
-D configDir
-a archiveDir
Table A.4. db2archive Options
| Option | Description |
|---|---|
| -D configDir | Specifies the location of the server configuration directory that contains the configuration information for the index creation process. This must be the full path to the configuration directory, /etc/dirsrv/slapd-instance_name. |
| -a archiveDir | Specifies the archive directory. |
A.7. Utilities for Creating and Regenerating Indexes: db2index
ns-slapd db2index
-D configDir
[
-d debugLevel
]
-n backendName
-t attributeName[:indexTypes{:matchingRules}]
[
-T vlvTag
]
Table A.5. db2index Options
| Option | Description |
|---|---|
| -d debugLevel | Specifies the debug level to use during index creation. For further information, refer to Section 3.1.1.55, “nsslapd-errorlog-level (Error Log Level)”. |
| -D configDir | Specifies the location of the server configuration directory that contains the configuration information for the index creation process. This must be the full path to the configuration directory, /etc/dirsrv/slapd-instance_name. |
| -n backendName | Specifies the name of the back end containing the entries to index. |
| -t attributeName[:indextypes(:mathingrules)] | Specifies the attribute to be indexed as well as the types of indexes to create and matching rules to apply, if any. If the matching rule is specified, an index type must be specified. This option cannot be used with -T. indexTypes specifies a comma-separated list of indexes to be created for the attributes. matchingRules is an optional, comma-separated list of the OIDs for the languages in which the attribute will be indexed. This option is used to create international indexes. For information on supported locales and collation order OIDs, see the Appendix "Internationalization" in the Directory Server Administrator's Guide. |
| -T vlvTag | Specifies the VLV tag to use to create VLV indexes. The Console can be used to specify VLV tags for each database supporting the directory tree, as described in the Directory Server Administrator's Guide. Additional VLV tags can be defined by creating them in LDIF and adding them in the Directory Server configuration. This options cannot be used with -t. |
Appendix B. Testing Scripts Available with Directory Server
ldclt and rsearch are located in the /usr/bin directory.
B.1. ldclt (Load Stress Tests)
ldclt) establishes multiple client connections to a server, under user-defined scenarios, to load-test the Directory Server. Client operations include directory adds, searches, modifies, modRDNs, and deletes, as well setup operations like generating LDIF files. Operations can be randomized — binding and unbinding as random users, performing random tasks — to simulate more realistic usage environments for the directory.
ldclt tool measures the completion time of continuously-repeated operations to measure Directory Server performance. Using multiple threads makes it possible to test performance under high loads. Each test performs the same type of LDAP operation, but with different settings (like different user credentials, different attribute types or sizes, and different target subtrees).
ldclt tool is specifically intended to be used for automated tests, so its options are extensive, flexible, and easily scripted, even for complex test operations.
Note
ldclt is a load test, and therefore uses a significant amount of system resources. The tool uses a minimum of 8 MB of memory. Depending on the numbers of threads, types of operations, and other configuration settings, it can use much more memory.
ldclt may set its own resource limits. For information on managing system resource limits, see the man pages for ulimit and getrlimit.
ldclt utility is located in the /usr/bin directory.
B.1.1. Syntax
ldlt [
-q
|
-Q
|
-v
|
-V
] [
-E max_errors
] [
-b base_DN
] [
-h host
] [
-p port
] [
-t timeout
] [
-D bind_DN
] [
-w password
] [
-o SASL_options
] [
-e execution_params
] [
-a max_pending
] [
-n number_of_threads
] [
-i inactivity_times
] [
-N number_of_samples
] [
-I error_code
] [
-T total_number_of_operations
] [
-r low_range
] [
-R high_range
] [
-f filter
] [
-s scope
] [
-S consumer
] [
-P supplier_port
] [
-W wait_time
] [
-Z certificate_file
]
B.1.2. ldclt Options
Table B.1. ldclt Options
| Option | Description |
|---|---|
| -a max_pending_ops | Runs the tool in asynchronous mode with a defined maximum number of pending operations. |
| -b base_dn | Gives the base DN to use for running the LDAP operation tests. If not given, the default value is dc=example,dc=com. |
| -D bind_dn | Gives the bind DN for the ldclt utility to use to connect to the server. |
| -E max_errors | Sets the maximum number of errors that are allowed to occur in test LDAP operations before the tool exits. The default is 1000. |
| -e execution_params | Specifies the type of operation and other test environment parameters to use for the tests. The possible values for -e are listed in Table B.2, “Execution Parameters”. This option can accept multiple values, in a comma-separated list. |
| -f filter | Gives an LDAP search filter to use for search testing. |
| -h | Specifies the host name or IP address of the Directory Server to run tests against. If a host is not specified, ldclt uses the local host. |
| -I error_code | Tells ldclt to ignore any errors encountered that match a certain response code. For example, -I 89 tells the server to ignore error code 89. |
| -i inactivity_times | Sets a number of intervals that the tool can be inactive before exiting. By default, this setting is 3, which translates into 30 seconds (each operations interval being 10 seconds long). |
| -N number_of_samples | Sets the number of iterations to run, meaning how many ten-second test periods to run. By default, this is infinite and the tool only exits when it is manually stopped. |
| -n number_of_threads | Sets the number of threads to run simultaneously for operations. The default value is 10. |
| -o SASL_option | Tells the tool to connect to the server using SASL and gives the SASL mechanism to use. The format is -o saslOption=value. saslOption can have one of six values:
-o can be used multiple times to pass all of the required SASL information for the mechanism. For example:
-o "mech=DIGEST-MD5" -o "authzid=test_user" -o "authid=test_user" |
| -P master_port | Gives the port to use to to connect to a supplier server for replication testing. The default, if one is not given, is 16000. |
| -p port | Gives the server port number of the Directory Server instance that is being tested. |
| -Q | Runs the tool in "super" quiet mode. This ignores any errors that are encountered in operations run by ldclt. |
| -q | Runs the tool in quiet mode. |
| -R number | Sets the high number for a range. |
| -r number | Sets the low number of a range. |
| -S consumer_name | Gives the host name of a consumer server to connect to to run replication tests. |
| -s scope | Gives the search scope. As with ldapsearch, the values can be subtree, one, or base. |
| -T ops_per_thread | Sets a maximum number of operations allowed per thread. |
| -t timeout | Sets a timeout period for LDAP operations. The default is 30 seconds. |
| -V | Runs the tool in very verbose mode. |
| -v | Runs the tool in verbose mode. |
| -W wait_time | Sets a time, in seconds, for the ldclt tool to wait after one operation finishes to start the next operation. The default is 0, which means there is no wait time. |
| -w password | Gives the password to use, with the -D identity, to bind to the Directory Server for testing. |
| -Z /path/to/cert.db | Enables SSL for the test connections and points to the file to use as the certificate database. |
-e option sets execution parameters for the ldclt test operations. Multiple parameters can be configured, in a comma-separated list. For example:
-e add,bindeach,genldif=/var/lib/dirsrv/slapd-instance_name/ldif/generated.ldif,inetOrgPerson
Table B.2. Execution Parameters
| Parameter | Description |
|---|---|
| abandon | Initiates abandon operatons for asynchronous search requests. |
| add | Adds entries to the directory (ldapadd). |
| append | Appends entries to the end of the LDIF file generated with the genldif option. |
| ascii | Generates ASCII 7-bit strings. |
| attreplace=name:mask | Run modify operations that replace an attribute (name) in an existing entry. |
| attrlist=name:name:name | Specifies a list of attributes to return in a search operation. |
| attrsonly=# | Used with search operations, to set whether to read the attribute values. The possible values are 0 (read values) or 1 (don't read values). |
| bindeach | Tells the ldclt tool to bind with each operation it attempts. |
| bindonly | Tells the ldclt tool to only run bind/unbind operations. No other operation is performed. |
| close | Tells the tool to close the connection rather than perform an unbind operation. |
| cltcertname=name | Gives the name of the SSL client certificate to use for SSL connections. |
| commoncounter | Makes all threads opened by the ldclt tool to share the same counter. |
| counteach | Tells the tool to count each operation, not only successful ones. |
| delete | Initiates delete operations. |
| deref | Adds the dereference control to search operations (esearch). With adds, this tells ldclt to add the secretary attribute to new entries, to allow dereference searches. |
| dontsleeponserverdown | Causes the tool to loop very fast if server down. |
| emailPerson | This adds the emailPerson object class to generated entries. This is only valid with the add operation (-e add). |
| esearch | Performs an exact search. |
| genldif=filename | Generates an LDIF file to use with the operations. |
| imagesdir=path | Gives a location for images to use with tests. |
| incr | Enables incremental values. |
| inetOrgPerson | This adds the inetOrgPerson object class to generated entries. This is only valid with the add operation (-e add). |
| keydbfile=file | Contains the path and filename of the key database to use with SSL connections. |
| keydbpin=password | Contains the token password to access the key database. |
| noglobalstats | Tells the tool not to print periodical global statistics. |
| noloop | Does not loop the incremental numbers. |
| object=filename | Builds entry objects from an input file. |
| person | This adds the person object class to generated entries. This is only valid with the add operation (-e add). |
| random | Tells the ldclt utility to use all random elements, such as random filters and random base DNS. |
| randomattrlist=name:name:name | Tells the ldclt utility to select random attributes from the given list. |
| randombase | Tells the ldclt utility to select a random base DN from the directory. |
| randombaselow=value | Sets the low value for the random generator. |
| randombasehigh=value | Sets the high value for the random generator. |
| randombinddn | Tells the ldclt utility to use a random bind DN. |
| randombinddnfromfile=file | Tells the ldclt utility to use a random bind DN, selected from a file. Each entry in the file must have the appropriate DN–password pair. |
| randombinddnlow=value | Sets the low value for the random generator. |
| randombinddnhigh=value | Sets the high value for the random generator. |
| rdn=attrname:value | Gives an RDN to use as the search filter. This is used instead of the -f filter. |
| referral=value | Sets the referral behavior for operations. There are three options: on (allow referrals), off (disallow referrals), or rebind (attempt to connect again). |
| smoothshutdown | Tells the ldclt utility not to shut down its main thread until the worker threads exit. |
| string | Tells the ldclt utility to create random strings rather than random numbers. |
| v2 | Tells the ldclt utility to use LDAPv2 for test operations. |
| withnewparent | Performs a modRDN operation, renaming an entry with newparent set as an argument. |
| randomauthid | Uses a random SASL authentication ID. |
| randomauthidlow=value | Sets the low value for a random SASL authentication ID. |
| randomauthidhigh=value | Sets the high value for the random SASL authentication ID. |
B.1.3. Results from ldclt
ldclt continuously runs whatever operation is specified, over the specified number of threads. By default, it prints the performance statistics to the screen every ten (10) seconds.
ldclt[process_id] Average rate: number_of_ops/thr (number_of_ops/sec), total: total_number_of_ops
ldclt[22774]: Average rate: 10298.20/thr (15447.30/sec), total: 154473
ldclt prints cumulative averages and totals every 15 minutes and when the tool is exited.
ldclt[22774]: Global average rate: 821203.00/thr (16424.06/sec), total: 12318045 ldclt[22774]: Global number times "no activity" reports: never ldclt[22774]: Global no error occurs during this session. Catch SIGINT - exit... ldclt[22774]: Ending at Wed Feb 24 18:39:38 2010 ldclt[22774]: Exit status 0 - No problem during execution.
-v or -V output additional data to the screen. The kind of information depends on the type of operation, but it generally shows the thread performing the operation and the plug-ins called by the operation. For example:
ldclt -b ou=people,dc=example,dc=com -D "cn=Directory Manager" -w secret12 -e add,person,incr,noloop,commoncounter -r90000 -R99999 -f "cn=testXXXXX" -V
...
ldclt[11176]: T002: After ldap_simple_bind_s (cn=Directory Manager, secret12)
ldclt[11176]: T002: incremental mode:filter="cn=test00009"
ldclt[11176]: T002: tttctx->bufFilter="cn=test00009"
ldclt[11176]: T002: attrs[0]=("objectclass" , "person")
ldclt[11176]: T002: attrs[1]=("cn" , "test00009")
ldclt[11176]: T002: attrs[2]=("sn" , "toto sn")
...
ldclt[11176]: Average rate: 195.00/thr ( 195.00/sec), total: 1950
ldclt[10627]: Global average rate: 238.80/thr (238.80/sec), total: 2388
ldclt[10627]: Global number times "no activity" reports: never
ldclt[10627]: Global no error occurs during this session.
Catch SIGINT - exit...
ldclt[10627]: Ending at Tue Feb 23 11:46:04 2010
ldclt[10627]: Exit status 0 - No problem during execution.ldclt without interrupting the test. Any fatal errors that are encountered are listed with the tool's exit status and returned in the cumulative total.
Global no error occurs during this session.
ldclt utility does count the number of times each LDAP error is encountered; if the total number of errors that are logged hits more than 1000 (by default), then the script itself will error out.
ldclt responds to LDAP errors can be configured. Using the -E option sets a different threshold for the script to error out after encountering LDAP errors. Using the -I option tells the script to ignore the specified LDAP error codes in all threads. Changing the error exit limit and ignoring certain error codes can allow you to tweak and improve test scripts or test configuration.
B.1.4. Exiting ldclt and ldclt Exit Codes
ldclt command runs indefinitely. The script can stop itself in a handful of situations, like encountering a fatal runtime or initialization error, hitting the limit of LDAP errors, having all threads die, or hitting the operation or time limit.
ldclt script.
- Hitting control—backslash (^\) or
kill -3prints the current statistics without exiting the script. - Hitting control—C (^C) or
kill -2exits the script and prints the global statistics.
ldclt script exits or is interrupted, it returns an exit code along with the statistics and error information.
Table B.3. ldclt Exit Codes
| Exit Code | Description |
|---|---|
| 0 | Success (no errors). |
| 1 | An operation encountered a serious fatal error. |
| 2 | There was an error in the parameters passed with the tool. |
| 3 | The tool hit the maximum number of LDAP errors. |
| 4 | The tool couldn't bind to the Directory Server instance. |
| 5 | The tool couldn't load the SSL libraries to connect over SSL. |
| 6 | There was a multithreading (mutex) error. |
| 7 | There was an initialization problem. |
| 8 | The tool hit a resource limit, such as a memory allocation error. |
| 99 | The script encountered an unknown error. |
B.1.5. Usage Scenarios
ldclt to test Directory Server. Test scripts with more complex examples are available in the ldclt source files. This can be downloaded from the 389 Directory Server Project, https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/servers/slapd/tools/ldclt/examples.
ldclt command requires a set of execution parameters (which varies depending on the type of test) and connection parameters (which are the same for every type of operation). For example:
ldclt -e execution_parameters -h localhost -p 389 -D "cn=directory manager" -w secret -b "ou=people,dc=example,dc=com"
ldclt runs, it first prints all of the configured parameters for that test.
Process ID = 1464 Host to connect = localhost Port number = 389 Bind DN = cn=directory manager Passwd = secret Referral = on Base DN = ou=people,dc=example,dc=com Filter = "cn=MrXXX" Max times inactive = 3 Max allowed errors = 1000 Number of samples = -1 Number of threads = 10 Total op. req. = -1 Running mode = 0xa0000009 Running mode = quiet verbose random exact_search LDAP oper. timeout = 30 sec Sampling interval = 10 sec Scope = subtree Attrsonly = 0 Values range = [0 , 1000000] Filter's head = "cn=Mr" Filter's tail = ""
B.1.5.1. Generating LDIFs
ldclt tool itself can be used to generate LDIF files that can be used for testing.
Note
ldclt tool doesn't attempt to connect to a server or run any operations.
-e object), and then a specified output file (-e genldif).
/usr/share/dirsrv/data directory contains three data files to generate surnames, first names, and organizational units. These lists of values can be used to create test users and directory trees (dbgen-FamilyNames, dbgen-GivenNames, and dbgen-OrgUnits, respectively). These files can be used with the rndfromfile, incrfromfile, or incrfromfilenoloop options.
# comment attribute: string | variable=keyword(value)
-e object option and other available parameters (like rdn).
-e object=inet.txt,rdn='uid:[A=INCRNNOLOOP(0;99999;5)]'
Table B.4. ldclt Template LDIF File Keywords
| Keyword | Description | Format |
|---|---|---|
| RNDN | Generates a random value within the specified range (low - high) and of the given length. | RNDN(low;high;length) |
| RNDFROMFILE | Pulls a random value from any of the ones available in the specified file. | RNDFROMFILE(filename) |
| INCRN | Creates sequential values within the specified range (low - high) and of the given length. | INCRN(low;high;length) |
| INCRNOLOOP | Creates sequential values within the specified range (low - high) and of the given length — without looping through the incremental range. | INCRNOLOOP(low;high;length) |
| INCRFROMFILE | Creates values by incrementing through the values in the specified file. | INCRFROMFILE(filename) |
| INCRFROMFILENOLOOP | Creates values by incrementing through the values in the file, without looping back through the values. | INCRFROMFILENOLOOP(filename) |
| RNDS | Generates random values of a given length. | RNDS(length) |
/usr/share/dirsrv/data and builds other attributes dynamically.
Example B.1. Example Template File
objectclass: inetOrgPerson sn: [B=RNDFROMFILE(/usr/share/dirsrv/data/dbgen-FamilyNames)] cn: [C=RNDFROMFILE(/usr/share/dirsrv/data/dbgen-GivenNames)] [B] password: test[A] description: user id [A] mail: [C].[B]@example.com telephonenumber: (555) [RNDN(0;999;3)]-[RNDN(0;9999;4)]
ldclt command, then, uses that template to build an LDIF file with 100,000 entries:
ldclt -b "ou=people,dc=csb" -e object=inet.txt,rdn='uid:[A=INCRNNOLOOP(0;99999;5)]' -e genldif=100Kinet.ldif,commoncounter
B.1.5.2. Adding Entries
ldclt tool can add entries that match either of two templates:
- person
- inetorgperson
-f filter sets the format of the naming attribute for the user entries. For example, -f "cn=MrXXXXX" creates a name like -f "cn=Mr01234". Using the person or inetorgperson parameter with -f creates a basic entry.
objectclass: person sn: ex sn cn: Mr01234
rdn parameter and an object file. The full range of options for the entries is covered in Section B.1.5.1, “Generating LDIFs”. The rdn and object parameters provide the format for the entries to add or edit in the directory. The rdn execution parameter takes a keyword pattern (as listed in Table B.4, “ldclt Template LDIF File Keywords”) and draws its entry pool from the entries listed in a text file.
-e rdn='uid:[A=INCRNNOLOOP(0;99999;5)]',object=inet.txt
ldclt tool creates entries in a numeric sequence. That means that the method of adding those entries and of counting the sequence have to be defined as well. Some possible options for this include:
- -r and -R to set the numeric range for entries
- incr or random to set the method of assigning numbers (these are only used with -f)
- -r and -R to set the numeric range for entries
- noloop, to stop the add operations when it hits the end of the range rather than looping back
Example B.2. Adding Entries
ldclt -b ou=people,dc=example,dc=com -D "cn=Directory Manager" -w secret -e add,person,incr,noloop,commoncounter -r0 -R99999 -f "cn=MrXXXXX" -v -q
add operation can also be used to build a directory tree for more complex testing. Whenever an entry is added to the directory that belongs to a non-existent branch, the ldclt tool automatically creates that branch entry.
Note
cn, o, or ou.
Example B.3. Creating the Directory Tree
ldclt -b ou=DeptXXX,dc=example,dc=com -D "cn=Directory Manager" -w secret -e add,person,incr,noloop,commoncounter -r0 -R99999 -f "cn=MrXXXXX" -v -qB.1.5.3. Search Operations
ldclt search test simply looks for all entries within the given base DN. This uses two execution parameters: esearch and random.
Example B.4. Basic Search Operation
ldclt -h localhost -p 389 -D "cn=directory manager" -w secret -b "ou=people,dc=example,dc=com" -f uid=testXXXXX -e esearch,random -r0 -R99999 -I 32
Important
ldclt is designed to perform searches that return one entry.
attrlist execution parameter and a colon-separated list of attributes.
Example B.5. Searching for a List of Attributes
ldclt -h localhost -p 389 -b "ou=people,dc=example,dc=com" -f uid=XXXXX -e esearch,random -r0 -R99999 -I 32 -e attrlist=cn:mail
ldclt search operation can return attribute values for attributes randomly selected from the search list. The list is given in the randomattrlist execution parameter with a colon-separated list of attributes.
Example B.6. Searching for a List of Random Attributes
ldclt -h localhost -p 389 -b "ou=people,dc=example,dc=com" -f uid=XXXXX -e esearch,random -r0 -R99999 -I 32 -e randomattrlist=cn:sn:ou:uid:mail:mobile:description
Example B.7. Searches with Alternate Filters
ldclt -h localhost -p 389 -b "ou=people,dc=example,dc=com" -f mail=XXXXXX@example.com -e esearch,random -r0 -R99999 -I 32 -e randomattrlist=cn:sn:ou:uid:mail:mobile:descriptionrdn and object execution parameters provide the format for the entries to add or edit in the directory. The rdn execution parameter takes a keyword pattern (as listed in Table B.4, “ldclt Template LDIF File Keywords”) and draws its entry pool from the entries listed in a text file.
Example B.8. Searches with RDN Filters
ldclt -h localhost -p 389 -b "ou=people,dc=example,dc=com" -e rdn='mail:[RNDN(0;99999;5)]@example.com',object="inet.txt" -e attrlist=cn:telephonenumberB.1.5.4. Modify Operations
attreplace execution parameter replaces specific attributes in the entries.
rdn and object parameters provide the format for the entries to add or edit in the directory. The rdn execution parameter takes a keyword pattern (as listed in Table B.4, “ldclt Template LDIF File Keywords”) and draws its entry pool from the entries listed in a text file.
Example B.9. Modify Operation
ldclt -h localhost -p 389 -D "cn=Directory Manager" -w secret -b "ou=people,dc=example,dc=com" -e rdn='uid:[RNDN(0;99999;5)]' -I 32 -e attreplace='description: random modify XXXXX'B.1.5.5. modrdn Operations
ldclt command supports two kinds of modrdn operations:
- Renaming entries
- Moving an entry to a new parent
ldclt utility creates the new entry name or parent from a randomly-selected DN.
- rename
- rdn='pattern'
- object=file
rdn and object parameters provide the format for the entries to add or edit in the directory. The rdn execution parameter takes a keyword pattern (as listed in Table B.4, “ldclt Template LDIF File Keywords”) and draws its entry pool from the entries listed in a text file.
Example B.10. Simple Rename Operation
ldclt -h localhost -p 389 -D "cn=Directory Manager" -w secret -b "ou=people,dc=example,dc=com" -I 32 -I 68 -e rename,rdn='uid:[RNDN(0;999;5)]',object="inet.txt"
withnewparent execution parameter renames the entry and moves it beneath a new parent entry. If the parent entry doesn't exist, then the ldclt tool creates it.[4]
Example B.11. Renaming an Entry and Moving to a New Parent
ldclt -h localhost -p 389 -D "cn=Directory Manager" -w secret12 -b "ou=DeptXXX,dc=example,dc-com" -I 32 -I 68 -e rename,withnewparent,rdn='uid:Mr[RNDN(0;99999;5)]',object="inet.txt"
B.1.5.6. Delete Operations
ldclt delete operation is exactly the reverse of the add operation. As with the add, delete operations can remove entries in several different ways:
- Randomly (
-e delete,random) - RDN-ranges (
-e delete,rdn=[pattern]) - Sequentially (
-e delete,incr)
- -e delete,random
- -r and -R for the range bounds
- -f for the filter to match the entries
Example B.12. Random Delete Operations
ldclt -b "ou=people,dc=example,dc=com" -D "cn=Directory Manager" -w secret -e delete,random -r0 -R99999 -f "uid=XXXXXX" -I 32 -v -q
rdn execution parameter with a keyword (as listed in Table B.4, “ldclt Template LDIF File Keywords”) and draws its entry pool from the entries listed in a text file. This format requires three execution parameters:
- -e delete
- -e rdn='pattern'
- -e object='file'
Example B.13. RDN-Based Delete Operations
ldclt -b "ou=people,dc=example,dc=com" -D "cn=Directory Manager" -w secret -e delete,rdn='uid:[INCRNNOLOOP(0;99999;5)]',object="inet.txt" -I 32 -v -q
- -e delete,incr
- -r and -R for the range bounds
- -f for the filter to match the entries
Example B.14. Sequential Delete Operations
ldclt -b "ou=people,dc=example,dc=com" -D "cn=Directory Manager" -w secret -e delete,incr -r0 -R99999 -f "uid=XXXXXX" -I 32 -v -q
B.1.5.7. Bind Operations
ldclt thread binds once to the server and then runs all of its operations in a single session. The -e bindeach can be used with any other operation to instruct the ldclt tool to bind for each operation and then unbind before initiating the next operation.
-e add,bindeach ...
-e bindeach,bindonly execution parameters and no other operation information. For example:
ldclt -h localhost -p 389 -b "ou=people,dc=example,dc=com" -e bindeach,bindonly -e bind_info-D and -w user name and password pair in the connection parameters.
Note
-e close option with the bind parameters to test the affect that dropping connections has on the Directory Server, instead of unbinding cleanly.
Example B.15. Bind Only and Close Tests
ldclt -h localhost -p 389 -D "cn=directory manager" -w secret -e bindeach,bindonly,closerandombinddnfromfile) or using a DN selected randomly from within a range (-e randombinddn,randombinddnlow=X,randombinddnhigh=Y).
Example B.16. Random Binds from Identities in a File
ldclt -h localhost -p 389 -e bindeach,bindonly -e randombinddnfromfile=/tmp/testbind.txt -e add, where the accounts were added in a range. The ldclt tool can autogenerate values using X as a variable and incrementing through the specified range.
Example B.17. Random Binds from Random Base DN
ldclt -h localhost -p 389 -e bindeach,bindonly -D "uid=XXXXX,dc=example,dc=com" -w testXXXXX -e randombinddn,randombinddnlow=0,randombinddnhigh=99999
B.1.5.8. Running Operations on Random Base DNs
randombase parameters set the range of organizational units to select from. A variable in the -b base entry sets the format of the base DN.
-b "ou=DeptXXX,dc=example,dc=com" -e randombase,randombaselow=0,randombasehigh=999 ...
B.1.5.9. SSL Authentication
- The connection parameters,
-Z, which gives the path to the security databases for the Directory Server - The execution parameters,
cltcertname,keydbfile, andkeydbpin, which contains the information that the server will prompt to access the SSL databases
ldclt -h host -p port -e bindeach,bindonly -Z certPath -e cltcertname=certName,keydbfile=filename,keydbpin=password
B.1.5.10. Abandon Operations
-e abandon parameter opens and then cancels operations on the server. This can be run by itself or with other types of operations (like -e add or -e esearch).
ldclt -e abandon -h localhost -p 389 -D "cn=directory manager" -w secret -v -q -b "ou=people,dc=example,dc=com"
B.2. rsearch (Search Stress Tests)
rsearch utility opens multiple threads that perform the same operation, quickly and repeatedly, in a loop against the specified Directory Server instance, according to the parameters set in the command.
rsearch emulates multiple client connections for search operations. With additional options, rsearch can be expanded to perform compare, modify, delete, and bind/unbind operations along with search operations.
Note
rsearch tests naturally depend on the performance of the Directory Server and its host machine. Optimize the configuration of the Directory Server and machine first through performance tuning (as in the Tuning Red Hat Directory Server Performance).
rsearch utility is located in the /usr/bin directory.
B.2.1. Syntax
rsearch
-D bind_dn
-w password
-s suffix
-f filter
[
-h host
] [
-p port
] [
-S scope
] [
-b
] [
-u
] [
-L
] [
-N
] [
-v
] [
-y
] [
-q
] [
-l
] [
-m
] [
-M
] [
-d
] [
-c
] [
-i file_for_filters
] [
-B DN_or_uid_file
] [
-A attributes
] [
-a file_of_attributes
] [
-n
] [
-o search_time_limits
] [
-j sample_interval
] [
-t threads
] [
-T timelimit
] [
-V
] [
-C number_of_samples
] [
-R reconnect_interval
] [
-x
] [
-W password
] [
-U text
] [
-\? or -H
]
B.2.2. Options
Table B.5. rsearch Options
| Option | Description |
|---|---|
| -A attributes | Contains a list of attributes to be used with the search request. This cannot be used with -a. |
| -a file_of_attributes | Points to a file which contains a list of attributes to be used with the search request. Each attribute must be on a separate line in the file. For example:
attr1 attr2 ...This cannot be used with -A. |
| -B DN_or_uid_file | Contains a list of either DNs or UIDs which are used to bind to the server. For DNs, each entry has two lines, one for the DN and one for the UID (which is used as the default password):
DN: dn UID: uid ...The UID files simple has one UID per line: UID: uid1 UID: uid2 ... |
| -b | Tells the utility to bind before every operation. |
| -C sample_numbers | Gives the number of samples to take and then exits the utility. |
| -c | Specifies a compare operation. If this is used, then the -B option must be used. |
| -D bind_dn | Gives the bind DN for the rsearch utility to use to connect to the server; if no other identity is supplied in a DN file (-B -x), this is the identity used to run tests. |
| -d | Specifies a delete operation. If this is used, then the -B option must be used. |
| -f filter | Contains the search filter to be used with search operations. |
| -h host | Gives the host name of the LDAP server to connect to. The default, if not given, is localhost. |
| -i file | Points to a file that contains the names to be appended to the search filter passed with the -f option. The name file is a simple list, with each name on a separate line:
joe janeA filter option that could be used with this file would be “uid=”, which results in filters of both "uid=joe" and "uid=jane" randomly being used. |
| -j sample_interval | Specifies an interval, in seconds, to wait before collecting a sample. |
| -L | Sets the connection to linger. The connection is discarded when the utility closes. |
| -l | Logs the utility output. |
| -M | Specifies a modify operation for an indexed attribute (telephonenumber). This requires the -B option. |
| -m | Specifies a modify operation for an unindexed attribute (description). This requires the -B option. |
| -N | Specifies that the tool will only bind to the server, without running any other operation. |
| -n | Reserved for future use. |
| -o search_time_limit | Gives the time limit, in seconds, to use for search operations. |
| -p port | Gives the port to use to connect to the Directory Server instance. If this is not used, the default is 389. |
| -q | Runs the tool quietly. |
| -R reconnect_interval | Tells the utility to drop the connection to server and reconnect after the specified number of searches (reconnect_interval). |
| -S scope | Sets the search scope. The allowed values are 0, 1, and 2, corresponding to one-level, base, and subtree, respectively. The default is 2. |
| -s suffix | Gives the suffix in the Directory Server against which to run all of the tests. |
| -T timelimit | Sets a total time limit for the rsearch tests. Once the utility hits that limit, the tool closes. |
| -t threads | Sets the number of threads for the utility to open. The default is 1. |
| -U | Passes a filter to use with the bind file. If -x is not used, this option is ignored. The default value is '(uid=%s)'. |
| -u | Tells the utility not to unbind from the server, but simply to close the connection. |
| -V | Shows the running averages of the rsearch results. |
| -v | Runs the command in verbose mode. |
| -W | Gives the password to use to bind with identities in the -B file. If this is not given, the default is the UID value. |
| -x | Tells the utility to use the contents of the -B file for binding. If this is not used, than the -B option is ignored. |
| -y | Runs the command with no delay between tests. |
| -\? or -H | Prints the usage for the tool. |
B.2.3. Usage Scenarios
rsearch utility can be used to measure the performance of any LDAP operation. The following examples show how to use rsearch for a variety of common test scenarios.
Note
rsearch requires arguments for search parameters like filter and scope, these arguments can be left empty to perform tests for other kinds of LDAP operations. For example:
rsearch -D "cn=directory manager" -w secret -s "" -f ""B.2.3.1. Allowed Configuration Files
rsearch tool uses the information passed in the command line to connect to the server. The rsearch tool can accept two different configuration files to use in place of the passed arguments:
- A DN or UID file, which contains a list of either UIDs or both DNs and UIDs. The DN/UID file allows
rsearchto connect using multiple, randomly-selected bind identities. Any operation test can be combined with a bind/unbind test.Warning
Random bind identities should not be used with a delete test because the command may attempt to bind with an identity in the DN/UID file that has already been deleted from the directory.DN/UID files are used with the-Boption to pass the file and then an operation option (-c,-d,-m, or-x). - A name file, which contains a list of names to use as part of the given LDAP filters. The filter in the file can be more complex than the ones specified in the
-foption. The filter file can be used to run a number of different search tests. For example, having only a few filters means that the tool will begin retrieving results from cache, while using invalid filter can test search failures. It can also test filter performance, such as exact matches, complex filters, or attribute searches.When using a filter file, the-foption must be passed with a placeholder value. The placeholder can be used to replace only an attribute value, such ascn=%s, which tells the command to pull the attribute value variable from the filter file. The placeholder can also replace the filter itself (-f "%s") to supply randomly-selected filters from the file.The-ioption pass the name file to use for the search filters. Every line in the file is appended to whatever filter is given with the-foption. There are a couple of different ways that these two options can be used together:- The simplest scenario leaves the
-foption empty, so it's just a placeholder. In this case, the filters are taken directly from the file passed with the-ioption. - Alternatively, the entries in the file could simply be a list of names, and a partial filter can be given for the
-foption. For example, the name file could have a list of UIDs (jsmith, bjensen, amorrow) and the-ffilter could be"uid=".rsearchautomatically appends the name to complete the search filter.
B.2.3.2. Results from rsearch
rsearch returns the current running average for the operations run by the script.
date timestamp - Rate: num_ops/thr (ops/sec = num ms/op), total: ops (number thr)
[jsmith@server ~]$ rsearch -D "cn=directory manager" -w secret -s "ou=people,dc=example,dc=com" -f "objectclass=%s" rsearch: 1 threads launched. 20100209 20:20:40 - Rate: 65961.00/thr (6596.10/sec = 0.1516ms/op), total: 65961 (1 thr)
B.2.3.3. Search Testing
rsearch is search testing. Measuring search performance can be done using only the required arguments with rsearch, without any optional arguments:
rsearch -D bind_dn -w password -s suffix -f filter
-i file) can test different kinds of indexed attributes:
- Filters without wildcards show the performance for exact matches
- Filters with wildcards give performance for substring indexes
- Filters with operators (=, >=, <=, ~=) show the performance for approximate indexes
Example B.18. Basic Search
rsearch -D "cn=test user,cn=config" -w secret -s "dc=example,dc=com" -f "sn=*smith*"
-D, which gives the bind identity-w, which gives the bind password-s, which gives the search target (scope)-f, which gives the search filter
Example B.19. Searches for Specific Attributes
rsearch -D "cn=test user,cn=config" -w secret -s "dc=example,dc=com" -f "sn=%s" -i /home/filter.txt -A givenname,mail,uid-A option.
-i option is not required, but it is recommended to supply different search filters so that the results are pulled fresh from the database, not from the cache.
B.2.3.4. Authentication Testing
rsearch utility uses the user DN and password in the (required) -D and -w arguments to bind to the server. To test authentication performance, these credentials can be left blank, can be passed a list of credentials that are randomly selected, or be set to a special user, like the Directory Manager.
Example B.20. Anonymous Binds
rsearch -D "" -w "" -s "dc=example,dc=com" -f "sn=%s" -i /home/filter.txt
-D and -w arguments have emtpy values, so the tool doesn't have any bind credentials to use to connect to the server. This initiates an anonymous bind.
Example B.21. Random User Authentication
rsearch -D "" -w "" -s "dc=example,dc=com" -f "sn=%s" -i /home/filter.txt -B /home/uids.txt -x-D and -w arguments, the the rsearch tool can be instructed to pull random bind identities from a list of given UIDs or DNs. This requires two options:
-Bpoints to a file with a list of bind identities. For a UID file, this is simply a list of UIDs, one per line:UID: uid1 UID: uid2 ...
For DNs, each entry has two lines, one for the DN and one for the UID (which is used as the default password):DN: dn UID: uid ...
-xforces the tool to use the file from the-Bargument.
-U option tells the tool to use an attribute other than the UID as the entry naming attribute and -W passes a different password (which, by default, is the UID).
rsearch -D "" -w "" -s "dc=example,dc=com" -f "sn=%s" -i /home/filter.txt -B /home/uids.txt -x -U "(cn=*)" -W newpassword
B.2.3.5. Modify Operation Testing
rsearch can be used to measure the performance of modify operations on two kinds of attributes: indexed and unindexed. The modify operation is signaled by using either the -M or the -m option. A list of entries to run modify operations against is passed using the -B option.
Note
DN: dn1 UID: uid1 DN: dn2 UID: uid2 ...
-b option measures the rate of each set of bind-modify operations. If the -b option isn't used, then there is only one bind operation, and the test shows the average of all modify operations that are run.
Example B.22. Modify Operations on Unindexed Attributes
rsearch -D "cn=test user,cn=config" -w secret -s "" -f "" -m -B /home/dns.txt -v-m option. The command performs modify operations on the description attribute for each entry selected from the DN file.
description attribute is indexed, so make sure that the attribute isn't indexed before running the test.
Example B.23. Modify Operations on Indexed Attributes
rsearch -D "cn=test user,cn=config" -w secret -s "" -f "" -M -B /home/dns.txt -v-M option. The command performs modify operations on the telephoneNumber attribute for each entry selected from the DN file.
telephoneNumber attribute isn't indexed, so make sure that the attribute is indexed before running the test.
B.2.3.6. Compare Operation Testing
ldapcompare operation can be tested using rsearch by passing the -c option. The tool runs compare operations against the UID attribute, based on the list of UIDs passed in the -B option.
Note
DN: dn1 UID: uid1 DN: dn2 UID: uid2 ...
Example B.24. Compare Operations
rsearch -D "cn=test user,cn=config" -w secret -s "" -f "" -c -B /home/dns.txt -v-c argument tells the command to perform compare operations. This is required. Two other arguments are useful for measuring the performance of compare operations:
-B(without the-x), which provides a list of entries that the server can run compare operations for.-v, which runsrsearchin verbose mode and prints the results of each bind attempt and compare operation.
B.2.3.7. Delete Operation Testing
-d, which tells the command to run delete operations. As with other operations, the -B argument can be used to pass a file which contains a list of entries to be randomly selected and deleted.
Note
-B -x option pair with delete operations, because the command may attempt to bind to the server with an identity which has already been deleted.
Example B.25. Delete Operations
rsearch -D "cn=test user,cn=config" -w secret -s "" -f "" -d -B /home/dns.txt-B argument is used to supply a list of entries available to delete, then it must be a DN file, which has the format:
DN: dn1 UID: uid1 DN: dn2 UID: uid2 ...
B.2.3.8. Changing Time Limits
rsearch has several time-based metrics:
- The period that operations are run for gathering one round of statistics (by default, ten seconds)
- How long the tool runs (by default, indefinitely)
- How long the tool maintains a connection to the server (by default, indefinitely)
Example B.26. Setting the Operations Interval
rsearch -D "cn=test user,cn=config" -w secret -s "dc=example,dc=com" -f "cn=%s" -i /home/filter.txt -b -j 20rsearch tool prints the results for the operations performed in the immediate interval. The default interval is ten (10) seconds, so every line in the output represents the statistics for the operations run in the preceding ten second. This interval can be changed using the -j option.
Example B.27. Setting the Test Time Limit
rsearch -D "cn=test user,cn=config" -w secret -s "dc=example,dc=com" -f "cn=%s" -i /home/filter.txt -b -T 600
...
20100210 18:36:21 - Rate: 68561.00/thr (6856.10/sec = 0.1459ms/op), total: 68561 (1 thr)
20100210 18:36:31 - Rate: 78016.00/thr (7801.60/sec = 0.1282ms/op), total: 78016 (1 thr)
Final Average rate: 7328.85/sec = 0.1364msec/op, total: 78016
-T option sets a time limit (in seconds) for the test to run and then exit cleanly. When the tool exits, it prints a final summary of the averages of all test run intervals.
Example B.28. Setting a Reconnect Interval
rsearch -D "cn=test user,cn=config" -w secret -s "dc=example,dc=com" -f "cn=%s" -i /home/filter.txt -b -R 30-R, sets a time interval for the tool to reconnect to the Directory Server.
B.2.3.9. Bind Testing with Any Operation
rsearch. This requires one option, -b, which tells the tool to bind to the server with every operation.
-L (which sets the tool to linger) and -N (which tells the tool to bind and unbind without performing any other operations).
Example B.29. Binding and Unbinding with Every Operation
rsearch -D "cn=test user,cn=config" -w secret -s "dc=example,dc=com" -f "cn=%s" -i /home/filter.txt -b -Lrsearch:
-b(required)-L(recommended)
-i option is not required, but it is recommended to supply different search filters so that the results are pulled fresh from the database, not from the cache.
Example B.30. Testing Anonymous Bind Operations
rsearch -D "" -w "" -s "" -f "" -N -b -L
-b option and leave the values for the -D and -w options empty. The -N option ensures that the command only attempts bind and unbind operations.
Example B.31. Testing Random Bind Operations
rsearch -D "" -w "" -s "" -f "" -B /home/uids.txt -x -N -b -L-N option ensures that the command only attempts bind and unbind operations, while the -B and -x options supply a list of random bind credentials for the command to select from.
Example B.32. Testing Using a Filter with Bind Operations
rsearch -D "" -w "" -s "" -f "" -B /home/uids.txt -x -U "(uid=*son)" -N -b -L"(uid=%s)", which every identity entry has. To use only a subset of the identities in the file, the -U option can be used to pass an alternate filter.
B.2.3.10. Performing Multi-Threaded Testing
Example B.33. Multiple Threads
rsearch -D "cn=test user,cn=config" -w secret -s "dc=example,dc=com" -f "sn=%s" -i /home/filter.txt -t 5
rsearch opens one thread for operations. The -t option allows a multiple threads to be opened.
Appendix C. Admin Server Command-Line Tools
C.1. sec-activate
sec-activate tool activates and deactivates SSL for the Admin Server.
The sec-activate tool is located in the /usr/lib/dirsrv/cgi-bin/ directory.
sec-activate serverRoot SSLEnabled
| Argument | Description |
|---|---|
| serverRoot | The location of the Admin Server configuration directory. The default location is /etc/dirsrv/admin-serv. |
| SSLEnabled | Sets whether to turn SSL on or off for the Admin Server. |
sec-activate /etc/dirsrv/admin-serv on
C.2. modutil
modutil tool is a command-line utility for managing PKCS #11 module information stored in secmod.db files or hardware tokens. modutil can perform a variety of security database operations:
- Adding and deleting PKCS #11 modules
- Changing passwords
- Setting defaults
- Listing module contents
- Enabling or disabling slots
- Enabling or disabling Federal Information Processing Standard (FIPS) 140-2 compliance
- Assigning default providers for cryptographic operations
- Creating
key3.db,cert8.db, andsecmod.dbsecurity databases.
key3.db files) and certificate databases (cert8.db files). The key, certificate, and PKCS #11 module management process generally begins with creating the keys and key database necessary to generate and manage certificates and the certificate database.
The modutil tool is located in the /usr/bin folder.
modutil task [option]
modutil command can take one task and one option.
You can use the modutil tool to perform a number of different tasks. These tasks are specified through the use of commands and options. Commands specify the task to perform. Options modify a task command.
Note
modutil command can take one task and one option.
modutil commands do and what options are available for each. Table C.2, “Options for modutil” defines what the options do.
Table C.1. Task Commands for modutil
| Tasks | Description | Allowed Options | ||
|---|---|---|---|---|
| -add moduleName | Adds the named PKCS #11 module to the database. |
| ||
| -changepw token | Changes the password for the named token. If the token has not been initialized, this option initializes it with the supplied password. In this context, the term password is equivalent to a personal identification number (PIN). |
| ||
| -create | Creates new secmod.db, key3.db, and cert8.db files. If any of these security databases already exist in a specified directory, the modutil tool displays an error message. |
| ||
| -default moduleName | Sets the security mechanisms for which the named module is a default provider. |
| ||
| -delete moduleName | Deletes the named module. You cannot delete the internal PKCS #11 module. | |||
| -disable moduleName | Disables all slots on the named module. To disable a specific slot, use the -slot option. |
| ||
| -enable moduleName | Enables all slots on the named module. To enable a specific slot, use the -slot option. |
| ||
| -fips true|false | Enables or disables the FIPS 140-2 compliance mode in Directory Server. For details, see Managing FIPS Mode Support in the Directory Server Administration Guide | |||
| -force | Disables the modutil tool's interactive prompts so it can be run from a script. Use this command only after manually testing each planned operation to check for warnings and to ensure that bypassing the prompts will cause no security lapses or loss of database integrity. | |||
| -jar JARfile |
Adds a new PKCS #11 module to the database. The module must be contained in the named JAR file.
The JAR file identifies all files to install, the module name, and mechanism flags. It should also contain any files to be installed on the target machine, including the PKCS #11 module library and other files, such as documentation.
The JAR file uses the Netscape Server PKCS #11 JAR format. See JAR Information File for more information on creating JAR files.
|
| ||
| -list [moduleName] | Shows basic information about the contents of the secmod.db file. To display detailed information about a particular module, including its slots and tokens, specify a value for moduleName. | |||
| -undefault moduleName | Specifies the security mechanisms for which the named module will not be a default provider. |
|
modutil task commands.
Table C.2. Options for modutil
| Option | Description |
|---|---|
| -dbdir dbFolder | Specifies a folder in which to access or create security module database files. This argument is required for every command. This should point to the Admin Server configuration directory. For example:
-dbdir /etc/dirsrv/admin-serv |
| -installdir installation_directory | Specifies the root installation folder for the files supplied with the -jar JAR-file task. The installation_directory folder should be one in which it is appropriate to store dynamic library files. |
| -libfile libraryFile | Specifies the library file which contains the PKCS #11 module that is being added to the database. Use the full path to identify the file. |
| -mechanisms mechanismList | Specifies the security mechanisms for which a particular module is the default provider. The mechanismList is a colon-separated list of mechanism names. Enclose this list in quotation marks if it contains spaces. The module becomes a default provider for the listed mechanisms when those mechanisms are enabled. If more than one module is assigned as a mechanism's default provider, the mechanism's default provider is listed as undefined. The following mechanisms are currently available:
|
| -newpwfile newPasswordFile | Specifies a text file containing a token's new password. This allows the password to be automatically updated when using the -changepw command. |
| -nocertdb | Instructs modutil not to open the certificate or key databases. This has several effects:
|
| -pwfile passwordFile | Specifies a text file containing a token's current password. This allows automatic entry of the password when using the -changepw command. |
| -slot slotName | Specifies a particular slot to enable or disable when using the -enable or -disable commands. |
| -tempdir temporaryFolder | Specifies a folder in which to store temporary files created by the -jar command. If a temporary folder is not specified, the current folder is used. |
JAR (Java Archive) is a platform-independent file format that aggregates many files into one. JAR files are used by modutil to install PKCS #11 modules. When modutil uses a JAR file, a special JAR information file must be included. This information file contains special scripting instructions and must be specified in the JAR file's MANIFEST file. Although the information file can have any name, it is specified using the Pkcs11_install_script METAINFO command.
METAINFO command in the MANIFEST, see https://docs.oracle.com/cd/E19957-01/816-6164-10/.
pk11install, the text file for the Signing Tool contains the following METAINFO tag:
+ Pkcs11_install_script: pk11install
Example C.1. Example JAR File
ForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc }
Platforms {
Linux:2.0.32:x86 {
ModuleName { "Fortezza Module" }
ModuleFile { win32/fort32.dll }
DefaultMechanismFlags{0x00000001 }
CipherEnableFlags{ 0x00000001 }
Files {
win32/setup.exe {
Executable
RelativePath { %temp%/setup.exe }
}
win32/setup.hlp {
RelativePath { %temp%/setup.hlp }
}
win32/setup.cab {
RelativePath { %temp%/setup.cab }
}
}
}
Linux:2.0.32:x86 {
EquivalentPlatform {WINNT::x86}
}
SUNOS:5.5.1:sparc {
ModuleName { "Fortezza UNIX Module" }
ModuleFile { unix/fort.so }
DefaultMechanismFlags{ 0x00000001 }
CipherEnableFlags{ 0x00000001 }
Files {
unix/fort.so {
RelativePath{%root%/lib/fort.so}
AbsolutePath{/usr/local/Red Hat/lib/fort.so}
FilePermissions{555}
}
xplat/instr.html {
RelativePath{%root%/docs/inst.html}
AbsolutePath{/usr/local/Red Hat/docs/inst.html}
FilePermissions{555}
}
}
}
IRIX:6.2:mips {
EquivalentPlatform { SUNOS:5.5.1:sparc}
}
}modutil interprets can be used to specify different module installation procedures for different platforms.
Global keys define the platform-specific sections of the JAR information file. There are two global keys: ForwardCompatible and Platforms.
ForwardCompatible is an optional key that specifies a list of system architectures and operating systems that are compatible with later versions of the same architectures and operating systems. If the platform that modutil is installing the module on is not specified by the Platforms key, then the ForwardCompatible list is checked for any platforms that have the same OS and architecture in an earlier version. If one is found, its attributes are used for the current platform.
ForwardCompatible key uses the following format:
ForwardCompatible { Solaris:5.5.1:sparc }Platforms key.
Platforms is a required key that specifies a list of platforms. Each entry in the list is itself a key-value pair: the key is the name of the platform and the value list contains various attributes of the platform. The ModuleName, ModuleFile, and Files attributes must be specified for each platform unless an EquivalentPlatform attribute is specified. For more information, see Per-Platform Keys.
system name:OS release:architecture
modutil program obtains the system name, release number, and architecture values from the system on which the modutil tool is running. The following system names and platforms are currently recognized:
- HP-UX (
hppa1.1) - Linux (
x86) is x86_64 recognized? - Solaris (
sparc)
Linux:5.2.0:x86
ModuleName is a required key that specifies the common name for the module. This name acts as a reference to the module for Red Hat Communicator, the modutil tool, servers, or any other program that uses the Red Hat security module database.
ModuleFile is a required key that names the PKCS #11 module file (.so) for this platform. The file name should be a path that is relative to the JAR file location.
DefaultMechanismFlags is an optional key that specifies mechanisms for which this module is a default provider. This key-value pair is a bitstring specified in hexadecimal (0x) format. It is constructed as a bitwise OR of the string constants listed in Table C.3, “Mechanisms and Default Mechanism Flags”. Omitting the DefaultMechanismFlags entry causes the value to to default to 0x0.
Table C.3. Mechanisms and Default Mechanism Flags
| Mechanism | Hexadecimal Bitstring Value |
|---|---|
| RSA | 0x00000001 |
| DSA | 0x00000002 |
| RC2 | 0x00000004 |
| RC4 | 0x00000008 |
| DES | 0x00000010 |
| DH | 0x00000020 |
| FORTEZZA | 0x00000040 |
| RC5 | 0x00000080 |
| SHA1 | 0x00000100 |
| MD5 | 0x00000200 |
| MD2 | 0x00000400 |
| RANDOM | 0x08000000 |
| FRIENDLY | 0x10000000 |
| OWN_PW_DEFAULTS | 0x20000000 |
| DISABLE | 0x40000000 |
Files is a required key that lists the files that need to be installed for this module. Each entry in the file list is a key-value pair. The key includes the path to the file that is contained in the JAR archive and the value list contains the attributes of the file. At a minimum, you must specify either RelativePath or AbsolutePath for each file. If desired, you can specify additional attributes. For more information, see Per-File Keys.
EquivalentPlatform key specifies that the attributes of the named platform should also be used for the current platform. Using this key saves time when more than one platform uses the same settings.
These keys have meaning only within an entry in a Files list. At a minimum, RelativePath or AbsolutePath must be specified. If both are specified, the relative path is tried first, and the absolute path is used only if a relative root folder is not provided by modutil.
RelativePath key specifies the destination path of the file, relative to a folder indicated at installation. You can assign values for two variables in the relative path, %root% and %temp%. At run time, %root% is replaced with a folder in which files should be installed, such as the server's root folder. The %temp% folder is created at the beginning of the installation and destroyed at the end.
%temp% is to hold executable files (such as setup programs) or files that are used by these programs. Files destined for the temporary folder are in place before any executable file is launched. They are not deleted until all executable files have finished.
AbsolutePath key specifies the destination of the file as an absolute path. If both RelativePath and AbsolutePath are specified, modutil attempts to use the relative path. If it is unable to determine a relative path, it uses the absolute path.
Executable key specifies that a file is to be executed during the course of the installation. Typically, this key is used to identify a setup program provided by a module vendor. The setup program itself is specified by the RelativePath or AbsolutePath key.
setup.exe program (located in the %temp% folder) is an executable file, include the following lines in your JAR information file:
Executable
RelativePath { %temp%/setup.exe }Executable key before a RelativePath or AbsolutePath key to indicate
FilePermissions key specifies the access permissions to apply to a file. The modutil program interprets the key as a string of octal digits, following the standard UNIX format. This key is a bitwise OR of the string constants listed in Table C.4, “File Permissions Specified Using FilePermissions”. For example, to specify read and execute access for all users, enter 555 (bitwise 400 + 100 + 040 + 010 + 004 + 001).
FilePermissions.
Table C.4. File Permissions Specified Using FilePermissions
| File Permission | Bitstring Value |
|---|---|
| User Read | 400 |
| User Write | 200 |
| User Execute | 100 |
| Group Read | 040 |
| GroupWrite | 020 |
| Group Execute | 010 |
| Other Read | 004 |
| Other Write | 002 |
| Other Execute | 001 |
777 (read, write, and execute for all users) is assumed.
Example C.2. Creating Database Files
modutil -create -dbdir /etc/dirsrv/admin-serv WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Creating "/etc/dirsrv/admin-serv/key3.db"...done. Creating "/etc/dirsrv/admin-serv/cert8.db"...done. Creating "/etc/dirsrv/admin-serv/secmod.db"...done.
Example C.3. Displaying Module Information
modutil -list -dbdir /etc/dirsrv/admin-serv
Using database directory /etc/dirsrv/admin-serv...
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
-----------------------------------------------------------Example C.4. Setting a Default Provider
modutil -default "Cryptographic Module" -dbdir /etc/dirsrv/admin-serv -mechanisms RSA:DSA:RC2 WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Using database directory /etc/dirsrv/admin-serv... Successfully changed defaults.
Example C.5. Enabling a Slot
modutil -enable "Cryptographic Module" -slot "Cryptographic Reader" -dbdir /etc/dirsrv/admin-serv WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Using database directory /etc/dirsrv/admin-serv... Slot "Cryptographic Reader" enabled.
Example C.6. Enabling FIPS Compliance
modutil -fips true WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: FIPS mode enabled.
Example C.7. Adding a Cryptographic Module
modutil -dbdir "/etc/dirsrv/admin-serv" -add "Cryptorific Module" -libfile "/crypto.dll" -mechanisms RSA:DSA:RC2:RANDOM WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Using database directory /etc/dirsrv/admin-serv... Module "Cryptorific Module" added to database.
Example C.8. Installing a Cryptographic Module from a JAR File
Platforms {
Linux:2.0.32:x86 {
ModuleName { "SuperCrypto Module" }
ModuleFile { crypto.dll }
DefaultMechanismFlags{0x0000}
CipherEnableFlags{0x0000}
Files {
crypto.dll {
RelativePath{ %root%/system32/crypto.dll }
}
setup.exe {
Executable
RelativePath{ %temp%/setup.exe }
}
}
}
Win95::x86 {
EquivalentPlatform { Winnt::x86 }
}
}
modutil -dbdir "/etc/dirsrv/admin-serv" -jar install.jar -installdir "/etc" WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Using database directory /etc/dirsrv/admin-serv... This installation JAR file was signed by: ---------------------------------------------- **SUBJECT NAME** C=US, ST=California, L=Mountain View, CN=SuperCrypto Inc., OU=Digital ID Class 3 - Red Hat Object Signing, OU="www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)9 6", OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign Object Signing CA - Class 3 Organization, OU="VeriSign, Inc.", O=VeriSign Trust Network **ISSUER NAME**, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign Object Signing CA - Class 3 Organization, OU="VeriSign, Inc.", O=VeriSign Trust Network ---------------------------------------------- Do you wish to continue this installation? (y/n) Using installer script "installer_script" Successfully parsed installation script Current platform is Linux:2.0.32:x86 Using installation parameters for platform Linux:2.0.32:x86 Installed file crypto.dll to /winnt/system32/crypto.dll Installed file setup.exe to ./pk11inst.dir/setup.exe Executing "./pk11inst.dir/setup.exe"... "./pk11inst.dir/setup.exe" executed successfully Installed module "SuperCrypto Module" into module database Installation completed successfully
Example C.9. Changing the Password on a Token
modutil -dbdir "/etc/dirsrv/admin-serv" -changepw "Admin Server Certificate DB" WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Using database directory /etc/dirsrv/admin-serv... Enter old password: Enter new password: Re-enter new password: Token "Admin Server Certificate DB" password changed successfully.
Glossary
A
- access control instruction
See ACI.
- access control list
See ACL.
- access rights
- In the context of access control, specify the level of access granted or denied. Access rights are related to the type of operation that can be performed on the directory. The following rights can be granted or denied: read, write, add, delete, search, compare, selfwrite, proxy and all.
- account inactivation
- Disables a user account, group of accounts, or an entire domain so that all authentication attempts are automatically rejected.
- ACI
- An instruction that grants or denies permissions to entries in the directory.
See Also access control instruction.
- ACL
- The mechanism for controlling access to your directory.
See Also access control list.
- All IDs Threshold
- Replaced with the ID list scan limit in Directory Server version 7.1. A size limit which is globally applied to every index key managed by the server. When the size of an individual ID list reaches this limit, the server replaces that ID list with an All IDs token.
See Also ID list scan limit.
- All IDs token
- A mechanism which causes the server to assume that all directory entries match the index key. In effect, the All IDs token causes the server to behave as if no index was available for the search request.
- anonymous access
- When granted, allows anyone to access directory information without providing credentials, and regardless of the conditions of the bind.
- approximate index
- Allows for efficient approximate or "sounds-like" searches.
- attribute
- Holds descriptive information about an entry. Attributes have a label and a value. Each attribute also follows a standard syntax for the type of information that can be stored as the attribute value.
- attribute list
- A list of required and optional attributes for a given entry type or object class.
- authenticating directory server
- In pass-through authentication (PTA), the authenticating Directory Server is the Directory Server that contains the authentication credentials of the requesting client. The PTA-enabled host sends PTA requests it receives from clients to the host.
- authentication
- (1) Process of proving the identity of the client user to the Directory Server. Users must provide a bind DN and either the corresponding password or certificate in order to be granted access to the directory. Directory Server allows the user to perform functions or access files and directories based on the permissions granted to that user by the directory administrator.(2) Allows a client to make sure they are connected to a secure server, preventing another computer from impersonating the server or attempting to appear secure when it is not.
- authentication certificate
- Digital file that is not transferable and not forgeable and is issued by a third party. Authentication certificates are sent from server to client or client to server in order to verify and authenticate the other party.
B
- base distinguished name
See base DN.
- base DN
- Base distinguished name. A search operation is performed on the base DN, the DN of the entry and all entries below it in the directory tree.
- bind distinguished name
See bind DN.
- bind DN
- Distinguished name used to authenticate to Directory Server when performing an operation.
- bind rule
- In the context of access control, the bind rule specifies the credentials and conditions that a particular user or client must satisfy in order to get access to directory information.
- branch entry
- An entry that represents the top of a subtree in the directory.
- browser
- Software, such as Mozilla Firefox, used to request and view World Wide Web material stored as HTML files. The browser uses the HTTP protocol to communicate with the host server.
- browsing index
- Speeds up the display of entries in the Directory Server Console. Browsing indexes can be created on any branch point in the directory tree to improve display performance.
See Also virtual list view index .
C
- CA
- cascading replication
- In a cascading replication scenario, one server, often called the hub supplier, acts both as a consumer and a supplier for a particular replica. It holds a read-only replica and maintains a changelog. It receives updates from the supplier server that holds the master copy of the data and in turn supplies those updates to the consumer.
- certificate
- A collection of data that associates the public keys of a network user with their DN in the directory. The certificate is stored in the directory as user object attributes.
- Certificate Authority
- Company or organization that sells and issues authentication certificates. You may purchase an authentication certificate from a Certification Authority that you trust. Also known as a CA.
- CGI
- Common Gateway Interface. An interface for external programs to communicate with the HTTP server. Programs written to use CGI are called CGI programs or CGI scripts and can be written in many of the common programming languages. CGI programs handle forms or perform output parsing that is not done by the server itself.
- chaining
- A method for relaying requests to another server. Results for the request are collected, compiled, and then returned to the client.
- changelog
- A changelog is a record that describes the modifications that have occurred on a replica. The supplier server then replays these modifications on the replicas stored on replica servers or on other masters, in the case of multi-master replication.
- character type
- Distinguishes alphabetic characters from numeric or other characters and the mapping of upper-case to lower-case letters.
- ciphertext
- Encrypted information that cannot be read by anyone without the proper key to decrypt the information.
- class definition
- Specifies the information needed to create an instance of a particular object and determines how the object works in relation to other objects in the directory.
- class of service
See CoS.
- classic CoS
- A classic CoS identifies the template entry by both its DN and the value of one of the target entry's attributes.
- client
See LDAP client.
- code page
- An internal table used by a locale in the context of the internationalization plug-in that the operating system uses to relate keyboard keys to character font screen displays.
- collation order
- Provides language and cultural-specific information about how the characters of a given language are to be sorted. This information might include the sequence of letters in the alphabet or how to compare letters with accents to letters without accents.
- consumer
- Server containing replicated directory trees or subtrees from a supplier server.
- consumer server
- In the context of replication, a server that holds a replica that is copied from a different server is called a consumer for that replica.
- CoS
- A method for sharing attributes between entries in a way that is invisible to applications.
- CoS definition entry
- Identifies the type of CoS you are using. It is stored as an LDAP subentry below the branch it affects.
- CoS template entry
- Contains a list of the shared attribute values.
See Also template entry.
D
- daemon
- A background process on a Unix machine that is responsible for a particular system task. Daemon processes do not need human intervention to continue functioning.
- DAP
- Directory Access Protocol. The ISO X.500 standard protocol that provides client access to the directory.
- data master
- The server that is the master source of a particular piece of data.
- database link
- An implementation of chaining. The database link behaves like a database but has no persistent storage. Instead, it points to data stored remotely.
- default index
- One of a set of default indexes created per database instance. Default indexes can be modified, although care should be taken before removing them, as certain plug-ins may depend on them.
- definition entry
See CoS definition entry.
- Directory Access Protocol
See DAP.
- Directory Manager
- The privileged database administrator, comparable to the root user in UNIX. Access control does not apply to the Directory Manager.
- directory service
- A database application designed to manage descriptive, attribute-based information about people and resources within an organization.
- directory tree
- The logical representation of the information stored in the directory. It mirrors the tree model used by most filesystems, with the tree's root point appearing at the top of the hierarchy. Also known as DIT.
- distinguished name
- String representation of an entry's name and location in an LDAP directory.
- DIT
See directory tree.
- DM
See Directory Manager.
- DN
See distinguished name.
- DNS
- Domain Name System. The system used by machines on a network to associate standard IP addresses (such as 198.93.93.10) with host names (such as
www.example.com). Machines normally get the IP address for a host name from a DNS server, or they look it up in tables maintained on their systems. - DNS alias
- A DNS alias is a host name that the DNS server knows points to a different hostspecifically a DNS CNAME record. Machines always have one real name, but they can have one or more aliases. For example, an alias such as
www.yourdomain.domain might point to a real machine calledrealthing.yourdomain.domain where the server currently exists.
E
- entry
- A group of lines in the LDIF file that contains information about an object.
- entry distribution
- Method of distributing directory entries across more than one server in order to scale to support large numbers of entries.
- entry ID list
- Each index that the directory uses is composed of a table of index keys and matching entry ID lists. The entry ID list is used by the directory to build a list of candidate entries that may match the client application's search request.
- equality index
- Allows you to search efficiently for entries containing a specific attribute value.
F
- file extension
- The section of a filename after the period or dot (.) that typically defines the type of file (for example, .GIF and .HTML). In the filename
index.htmlthe file extension ishtml. - file type
- The format of a given file. For example, graphics files are often saved in GIF format, while a text file is usually saved as ASCII text format. File types are usually identified by the file extension (for example, .GIF or .HTML).
- filter
- A constraint applied to a directory query that restricts the information returned.
- filtered role
- Allows you to assign entries to the role depending upon the attribute contained by each entry. You do this by specifying an LDAP filter. Entries that match the filter are said to possess the role.
G
- general access
- When granted, indicates that all authenticated users can access directory information.
- GSS-API
- Generic Security Services. The generic access protocol that is the native way for UNIX-based systems to access and authenticate Kerberos services; also supports session encryption.
H
- host name
- A name for a machine in the form machine.domain.dom, which is translated into an IP address. For example,
www.example.comis the machinewwwin the subdomainexampleandcomdomain. - HTML
- Hypertext Markup Language. The formatting language used for documents on the World Wide Web. HTML files are plain text files with formatting codes that tell browsers such as the Mozilla Firefox how to display text, position graphics, and form items and to display links to other pages.
- HTTP
- Hypertext Transfer Protocol. The method for exchanging information between HTTP servers and clients.
- HTTPD
- An abbreviation for the HTTP daemon or service, a program that serves information using the HTTP protocol. The daemon or service is often called an httpd.
- HTTPS
- A secure version of HTTP, implemented using the Secure Sockets Layer, SSL.
- hub
- In the context of replication, a server that holds a replica that is copied from a different server, and, in turn, replicates it to a third server.
See Also cascading replication.
I
- ID list scan limit
- A size limit which is globally applied to any indexed search operation. When the size of an individual ID list reaches this limit, the server replaces that ID list with an all IDs token.
- index key
- Each index that the directory uses is composed of a table of index keys and matching entry ID lists.
- indirect CoS
- An indirect CoS identifies the template entry using the value of one of the target entry's attributes.
- international index
- Speeds up searches for information in international directories.
- International Standards Organization
See ISO.
- IP address
- Also Internet Protocol address. A set of numbers, separated by dots, that specifies the actual location of a machine on the Internet (for example, 198.93.93.10).
- ISO
- International Standards Organization.
K
- knowledge reference
- Pointers to directory information stored in different databases.
L
- LDAP
- Lightweight Directory Access Protocol. Directory service protocol designed to run over TCP/IP and across multiple platforms.
- LDAP client
- Software used to request and view LDAP entries from an LDAP Directory Server.
See Also browser.
- LDAP Data Interchange Format
- LDAP URL
- Provides the means of locating Directory Servers using DNS and then completing the query using LDAP. A sample LDAP URL is
ldap://ldap.example.com. - LDAPv3
- Version 3 of the LDAP protocol, upon which Directory Server bases its schema format.
- LDBM database
- A high-performance, disk-based database consisting of a set of large files that contain all of the data assigned to it. The primary data store in Directory Server.
- LDIF
- LDAP Data Interchange Format. Format used to represent Directory Server entries in text form.
- leaf entry
- An entry under which there are no other entries. A leaf entry cannot be a branch point in a directory tree.
- Lightweight Directory Access Protocol
See LDAP.
- locale
- Identifies the collation order, character type, monetary format and time / date format used to present data for users of a specific region, culture, and/or custom. This includes information on how data of a given language is interpreted, stored, or collated. The locale also indicates which code page should be used to represent a given language.
M
- managed object
- A standard value which the SNMP agent can access and send to the NMS. Each managed object is identified with an official name and a numeric identifier expressed in dot-notation.
- managed role
- Allows creation of an explicit enumerated list of members.
- management information base
See MIB.
- mapping tree
- A data structure that associates the names of suffixes (subtrees) with databases.
- master
See supplier.
- master agent
See SNMP master agent.
- matching rule
- Provides guidelines for how the server compares strings during a search operation. In an international search, the matching rule tells the server what collation order and operator to use.
- MD5
- A message digest algorithm by RSA Data Security, Inc., which can be used to produce a short digest of data that is unique with high probability and is mathematically extremely hard to produce; a piece of data that will produce the same message digest.
- MD5 signature
- A message digest produced by the MD5 algorithm.
- MIB
- Management Information Base. All data, or any portion thereof, associated with the SNMP network. We can think of the MIB as a database which contains the definitions of all SNMP managed objects. The MIB has a tree-like hierarchy, where the top level contains the most general information about the network and lower levels deal with specific, separate network areas.
- MIB namespace
- Management Information Base namespace. The means for directory data to be named and referenced. Also called the directory tree.
- monetary format
- Specifies the monetary symbol used by specific region, whether the symbol goes before or after its value, and how monetary units are represented.
- multi-master replication
- An advanced replication scenario in which two servers each hold a copy of the same read-write replica. Each server maintains a changelog for the replica. Modifications made on one server are automatically replicated to the other server. In case of conflict, a time stamp is used to determine which server holds the most recent version.
- multiplexor
- The server containing the database link that communicates with the remote server.
N
- n + 1 directory problem
- The problem of managing multiple instances of the same information in different directories, resulting in increased hardware and personnel costs.
- name collisions
- Multiple entries with the same distinguished name.
- nested role
- Allows the creation of roles that contain other roles.
- network management application
- Network Management Station component that graphically displays information about SNMP managed devices, such as which device is up or down and which and how many error messages were received.
- network management station
See NMS.
- NIS
- Network Information Service. A system of programs and data files that Unix machines use to collect, collate, and share specific information about machines, users, filesystems, and network parameters throughout a network of computers.
- NMS
- Powerful workstation with one or more network management applications installed. Also network management station.
- ns-slapd
- Red Hat's LDAP Directory Server daemon or service that is responsible for all actions of the Directory Server.
See Also slapd.
O
- object class
- Defines an entry type in the directory by defining which attributes are contained in the entry.
- object identifier
- A string, usually of decimal numbers, that uniquely identifies a schema element, such as an object class or an attribute, in an object-oriented system. Object identifiers are assigned by ANSI, IETF or similar organizations.
See Also OID.
- OID
See object identifier.
- operational attribute
- Contains information used internally by the directory to keep track of modifications and subtree properties. Operational attributes are not returned in response to a search unless explicitly requested.
P
- parent access
- When granted, indicates that users have access to entries below their own in the directory tree if the bind DN is the parent of the targeted entry.
- pass-through authentication
See PTA.
- pass-through subtree
- In pass-through authentication, the PTA directory server will pass through bind requests to the authenticating directory server from all clients whose DN is contained in this subtree.
- password file
- A file on Unix machines that stores Unix user login names, passwords, and user ID numbers. It is also known as
/etc/passwdbecause of where it is kept. - password policy
- A set of rules that governs how passwords are used in a given directory.
- PDU
- Encoded messages which form the basis of data exchanges between SNMP devices. Also protocol data unit.
- permission
- In the context of access control, permission states whether access to the directory information is granted or denied and the level of access that is granted or denied.
See Also access rights.
- pointer CoS
- A pointer CoS identifies the template entry using the template DN only.
- presence index
- Allows searches for entries that contain a specific indexed attribute.
- protocol
- A set of rules that describes how devices on a network exchange information.
- protocol data unit
See PDU.
- proxy authentication
- A special form of authentication where the user requesting access to the directory does not bind with its own DN but with a proxy DN.
- proxy DN
- Used with proxied authorization. The proxy DN is the DN of an entry that has access permissions to the target on which the client-application is attempting to perform an operation.
- PTA
- Mechanism by which one Directory Server consults another to check bind credentials. Also pass-through authentication.
- PTA directory server
- In pass-through authentication (PTA), the PTA Directory Server is the server that sends (passes through) bind requests it receives to the authenticating directory server.
- PTA LDAP URL
- In pass-through authentication, the URL that defines the authenticating directory server, pass-through subtree(s), and optional parameters.
R
- RAM
- Random access memory. The physical semiconductor-based memory in a computer. Information stored in RAM is lost when the computer is shut down.
- rc.local
- A file on Unix machines that describes programs that are run when the machine starts. It is also called
/etc/rc.localbecause of its location. - RDN
- The name of the actual entry itself, before the entry's ancestors have been appended to the string to form the full distinguished name. Also relative distinguished name.
- read-only replica
- A replica that refers all update operations to read-write replicas. A server can hold any number of read-only replicas.
- read-write replica
- A replica that contains a master copy of directory information and can be updated. A server can hold any number of read-write replicas.
- referential integrity
- Mechanism that ensures that relationships between related entries are maintained within the directory.
- referral
- (1) When a server receives a search or update request from an LDAP client that it cannot process, it usually sends back to the client a pointer to the LDAP sever that can process the request.(2) In the context of replication, when a read-only replica receives an update request, it forwards it to the server that holds the corresponding read-write replica. This forwarding process is called a referral.
- relative distinguished name
See RDN.
- replica
- A database that participates in replication.
- replica-initiated replication
- Replication configuration where replica servers, either hub or consumer servers, pull directory data from supplier servers. This method is available only for legacy replication.
- replication
- Act of copying directory trees or subtrees from supplier servers to replica servers.
- replication agreement
- Set of configuration parameters that are stored on the supplier server and identify the databases to replicate, the replica servers to which the data is pushed, the times during which replication can occur, the DN and credentials used by the supplier to bind to the consumer, and how the connection is secured.
- RFC
- Request for Comments. Procedures or standards documents submitted to the Internet community. People can send comments on the technologies before they become accepted standards.
- role
- An entry grouping mechanism. Each role has members, which are the entries that possess the role.
- role-based attributes
- Attributes that appear on an entry because it possesses a particular role within an associated CoS template.
- root
- The most privileged user available on Unix machines. The root user has complete access privileges to all files on the machine.
- root suffix
- The parent of one or more sub suffixes. A directory tree can contain more than one root suffix.
S
- SASL
- An authentication framework for clients as they attempt to bind to a directory. Also Simple Authentication and Security Layer .
- schema
- Definitions describing what types of information can be stored as entries in the directory. When information that does not match the schema is stored in the directory, clients attempting to access the directory may be unable to display the proper results.
- schema checking
- Ensures that entries added or modified in the directory conform to the defined schema. Schema checking is on by default, and users will receive an error if they try to save an entry that does not conform to the schema.
- Secure Sockets Layer
See SSL.
- self access
- When granted, indicates that users have access to their own entries if the bind DN matches the targeted entry.
- Server Console
- Java-based application that allows you to perform administrative management of your Directory Server from a GUI.
- server daemon
- The server daemon is a process that, once running, listens for and accepts requests from clients.
- Server Selector
- Interface that allows you select and configure servers using a browser.
- server service
- A process on Windows that, once running, listens for and accepts requests from clients. It is the SMB server on Windows NT.
- service
- A background process on a Windows machine that is responsible for a particular system task. Service processes do not need human intervention to continue functioning.
- SIE
- Server Instance Entry. The ID assigned to an instance of Directory Server during installation.
- Simple Authentication and Security Layer
See SASL.
- Simple Network Management Protocol
See SNMP.
- single-master replication
- The most basic replication scenario in which multiple servers, up to four, each hold a copy of the same read-write replicas to replica servers. In a single-master replication scenario, the supplier server maintains a changelog.
- SIR
- slapd
- LDAP Directory Server daemon or service that is responsible for most functions of a directory except replication.
See Also ns-slapd.
- SNMP
- Used to monitor and manage application processes running on the servers by exchanging data about network activity. Also Simple Network Management Protocol.
- SNMP master agent
- Software that exchanges information between the various subagents and the NMS.
- SNMP subagent
- Software that gathers information about the managed device and passes the information to the master agent. Also called a subagent.
- SSL
- A software library establishing a secure connection between two parties (client and server) used to implement HTTPS, the secure version of HTTP. Also called Secure Sockets Layer.
- standard index
- index maintained by default.
- sub suffix
- A branch underneath a root suffix.
- subagent
See SNMP subagent.
- substring index
- Allows for efficient searching against substrings within entries. Substring indexes are limited to a minimum of two characters for each entry.
- suffix
- The name of the entry at the top of the directory tree, below which data is stored. Multiple suffixes are possible within the same directory. Each database only has one suffix.
- superuser
- The most privileged user available on Unix machines. The superuser has complete access privileges to all files on the machine. Also called root.
- supplier
- Server containing the master copy of directory trees or subtrees that are replicated to replica servers.
- supplier server
- In the context of replication, a server that holds a replica that is copied to a different server is called a supplier for that replica.
- supplier-initiated replication
- Replication configuration where supplier servers replicate directory data to any replica servers.
- symmetric encryption
- Encryption that uses the same key for both encrypting and decrypting. DES is an example of a symmetric encryption algorithm.
- system index
- Cannot be deleted or modified as it is essential to Directory Server operations.
T
- target
- In the context of access control, the target identifies the directory information to which a particular ACI applies.
- target entry
- The entries within the scope of a CoS.
- TCP/IP
- Transmission Control Protocol/Internet Protocol. The main network protocol for the Internet and for enterprise (company) networks.
- template entry
See CoS template entry.
- time/date format
- Indicates the customary formatting for times and dates in a specific region.
- TLS
- The new standard for secure socket layers; a public key based protocol. Also Transport Layer Security.
- topology
- The way a directory tree is divided among physical servers and how these servers link with one another.
- Transport Layer Security
See TLS.
U
- uid
- A unique number associated with each user on a Unix system.
- URL
- Uniform Resource Locater. The addressing system used by the server and the client to request documents. It is often called a location. The format of a URL is protocol://machine:port/document. The port number is necessary only on selected servers, and it is often assigned by the server, freeing the user of having to place it in the URL.
V
- virtual list view index
- Speeds up the display of entries in the Directory Server Console. Virtual list view indexes can be created on any branch point in the directory tree to improve display performance.
See Also browsing index.
X
- X.500 standard
- The set of ISO/ITU-T documents outlining the recommended information model, object classes and attributes used by directory server implementation.
Index
Symbols
- 00core.ldif
- ldif files, LDIF and Schema Configuration Files
- 01common.ldif
- ldif files, LDIF and Schema Configuration Files
- 05rfc2247.ldif
- ldif files, LDIF and Schema Configuration Files
- 05rfc2927.ldif
- ldif files, LDIF and Schema Configuration Files
- 10presence.ldif
- ldif files, LDIF and Schema Configuration Files
- 10rfc2307.ldif
- ldif files, LDIF and Schema Configuration Files
- 20subscriber.ldif
- ldif files, LDIF and Schema Configuration Files
- 25java-object.ldif
- ldif files, LDIF and Schema Configuration Files
- 28pilot.ldif
- ldif files, LDIF and Schema Configuration Files
- 30ns-common.ldif
- ldif files, LDIF and Schema Configuration Files
- 50ns-admin.ldif
- ldif files, LDIF and Schema Configuration Files
- 50ns-certificate.ldif
- ldif files, LDIF and Schema Configuration Files
- 50ns-directory.ldif
- ldif files, LDIF and Schema Configuration Files
- 50ns-mail.ldif
- ldif files, LDIF and Schema Configuration Files
- 50ns-value.ldif
- ldif files, LDIF and Schema Configuration Files
- 50ns-web.ldif
- ldif files, LDIF and Schema Configuration Files
- 60pam-plugin.ldif, LDIF and Schema Configuration Files
- 99user.ldif
- ldif files, LDIF and Schema Configuration Files
- ::, in LDIF statements, ldif
A
- access log
- connection code, Common Connection Codes
- contents, Access Log Reference, Default Access Logging Content
- abandon message (ABANDON) , Default Access Logging Content
- change sequence number (csn) , Default Access Logging Content
- connection description (conn) , Access Log Content for Additional Access Logging Levels
- connection number (conn) , Default Access Logging Content
- elapsed time (etime) , Default Access Logging Content
- error number (err) , Default Access Logging Content
- extended operation OID (oid) , Default Access Logging Content
- file descriptor (fd) , Default Access Logging Content
- format , Access Log Reference
- LDAP request type , Default Access Logging Content
- LDAP response type , Default Access Logging Content
- message ID (msgid) , Default Access Logging Content
- method type (method) , Default Access Logging Content
- number of entries (nentries) , Default Access Logging Content
- operation number (op) , Default Access Logging Content
- options description (options) , Access Log Content for Additional Access Logging Levels
- paged search indicator (notes=P), Default Access Logging Content
- SASL multi-stage binds , Default Access Logging Content
- scope of the search (scope) , Default Access Logging Content
- search indicator, Default Access Logging Content
- slot number (slot) , Default Access Logging Content
- sort (SORT) , Default Access Logging Content
- tag number (tag) , Default Access Logging Content
- version number (version) , Default Access Logging Content
- VLV-related entries , Default Access Logging Content
- LDAP result codes, LDAP Result Codes
- levels, Access Logging Levels, Access Log Content for Additional Access Logging Levels
- sample 1 (level 256) , Default Access Logging Content
- statistics for monitoring and optimizing directory usage, logconv.pl (Log Converter)
- account, account
- account policy
- altstateattrname, altstateattrname
- alwaysRecordLogin, alwaysRecordLogin
- limitattrname, limitattrname
- plug-in configuration attributes, Account Policy Plug-in Attributes
- specattrname, specattrname
- stateattrname, stateattrname
- accountpolicy, accountpolicy
- accountUnlockTime, accountUnlockTime
- aci, aci
- alias, alias
- aliasedObjectName, aliasedObjectName
- altServer, altServer
- ancestorid.db4 file, Database Files
- associatedDomain, associatedDomain
- associatedName, associatedName
- attributes
- allowed, Required and Allowed Attributes
- defined, Attributes
- multi-valued, Single- and Multi-Valued Attributes
- required, Required and Allowed Attributes
- single-valued, Single- and Multi-Valued Attributes
- syntax, Directory Server Attribute Syntaxes
- syntax validation, Syntax Validation
- attributeTypes, attributeTypes
- audio, audio
- authorCn, authorCn
- authorSn, authorSn
- auto membership plug-in configuration attributes
- autoMemberDefaultGroup, autoMemberDefaultGroup
- autoMemberDefinition, autoMemberDefinition (Object Class)
- autoMemberExclusiveRegex, autoMemberExclusiveRegex
- autoMemberFilter, autoMemberFilter
- autoMemberGroupingAttr, autoMemberGroupingAttr
- autoMemberInclusiveRegex, autoMemberInclusiveRegex
- autoMemberRegexRule, autoMemberRegexRule (Object Class)
- autoMemberScope, autoMemberScope
- autoMemberTargetGroup, autoMemberTargetGroup
- automountInformation, automountInformation
B
- backend, cn=USN tombstone cleanup task
- backendMonitorDN attribute, cn=monitor
- backup files, Backup Files
- bak2db
- command-line shell script, bak2db (Restores a Database from Backup)
- quick reference, Command-Line Scripts Quick Reference
- bak2db.pl
- command-line perl script, bak2db.pl (Restores a Database from Backup)
- quick reference, Command-Line Scripts Quick Reference
- base, ldif
- base 64 encoding, ldif
- basedn, cn=memberof task, cn=syntax validate, cn=automember rebuild membership, cn=automember export updates
- binary data, LDIF and, ldif
- bootableDevice, bootableDevice
- bootFile, bootFile
- bootParameter, bootParameter
- Browsing Indexes, vlvindex (Creates Virtual List View Indexes)
- buildingName, buildingName
- businessCategory, businessCategory
- bytessentattribute, cn=monitor
C
- c, c (countryName)
- cACertificate, cACertificate
- cacheObject, cacheObject
- carLicense, carLicense
- certificateRevocationList, certificateRevocationList
- change, change
- changelog
- multi-master replication changelog, cn=changelog5
- changeLog, changeLog
- changelog configuration attributes
- changelogmaxconcurrentwrites, nsslapd-changelogmaxconcurrentwrites (Max Concurrent Rewrites)
- changelogmaxentries, nsslapd-changelogmaxentries (Max Changelog Records)
- nsslapd-changelogdir, nsslapd-changelogdir
- nsslapd-changelogmaxage, nsslapd-changelogmaxage (Max Changelog Age)
- nsslapd-encryptionalgorithm, nsslapd-encryptionalgorithm (Encryption Algorithm)
- nsSymmetricKey, nsSymmetricKey
- changelog configuration entries
- cn=changelog5, cn=changelog5
- changeLogEntry, changeLogEntry (Object Class)
- changeNumber, changeNumber
- changeTime, changeTime
- changeType, changeType
- cl-dump
- command-line shell script, cl-dump (Dumps and Decodes the Changelog)
- quick reference, Command-Line Scripts Quick Reference
- cl-dump.pl
- command-line perl script, cl-dump.pl (Dumps and Decodes the Changelog)
- quick reference, Command-Line Scripts Quick Reference
- cleanallruv.pl
- command-line perl script, cleanallruv.pl (Cleans RUV data)
- cn, Task Invocation Attributes for Entries under cn=tasks, cn (commonName)
- cn attribute, cn
- cn=abort cleanallruv
- configuration entry, cn=abort cleanallruv
- cn=abort cleanallruv task
- attributes
- replica-base-dn, cn=abort cleanallruv
- replica-certify-all, cn=abort cleanallruv
- replica-id, cn=abort cleanallruv
- cn=automember export updates
- configuration entry, cn=automember export updates
- cn=automember export updates task
- attributes
- basedn, cn=automember export updates
- filter, cn=automember export updates
- ldif, cn=automember export updates
- scope, cn=automember export updates
- cn=automember map updates
- configuration entry, cn=automember map updates
- cn=automember map updates task
- attributes
- ldif_in, cn=automember map updates
- ldif_out, cn=automember map updates
- cn=automember rebuild membership
- configuration entry, cn=automember rebuild membership
- cn=automember rebuild membership task
- attributes
- cn=backup
- cn=changelog5
- changelog configuration entries, cn=changelog5
- object classes, cn=changelog5
- cn=cleanallruv
- configuration entry, cn=cleanallruv
- cn=cleanallruv task
- attributes
- replica-base-dn, cn=cleanallruv
- replica-force-cleaning, cn=cleanallruv
- replica-id, cn=cleanallruv
- cn=config
- general, Overview of the Directory Server Configuration
- general configuration entries, cn=config
- object classes, cn=config
- cn=config Directory Information Tree
- configuration data, Overview of the Directory Server Configuration
- cn=encrypted attributes, Database Attributes under cn=attributeName,cn=encrypted attributes,cn=database_name,cn=ldbm database,cn=plugins,cn=config
- cn=encryption
- encryption configuration entries, cn=encryption
- object classes, cn=encryption
- cn=export
- cn=fixup linked attributes task
- attributes
- linkdn, cn=fixup linked attributes
- configuration entry, cn=fixup linked attributes
- cn=import
- attributes
- configuration entry, Task Invocation Attributes for Entries under cn=tasks, cn=import
- cn=index
- cn=mapping tree
- object classes, cn=mapping tree
- suffix and replication configuration entries, cn=mapping tree
- cn=memberof task
- attributes
- basedn, cn=memberof task
- filter, cn=memberof task
- configuration entry, cn=memberof task
- cn=monitor
- object classes, cn=monitor
- read-only monitoring configuration entries, cn=monitor
- cn=restore
- attributes
- nsArchiveDir, cn=restore
- nsDatabaseTypes, cn=restore
- configuration entry, cn=restore
- cn=sasl
- cn=schema reload task
- attributes
- schemadir, cn=schema reload task
- configuration entry, cn=schema reload task
- cn=SNMP
- cn=syntax validate attributes task
- configuration entry, cn=syntax validate
- cn=syntax validate task
- attributes
- basedn, cn=syntax validate
- filter, cn=syntax validate
- cn=tasks
- attributes
- cn, Task Invocation Attributes for Entries under cn=tasks
- nsTaskCancel, Task Invocation Attributes for Entries under cn=tasks
- nsTaskCurrentItem, Task Invocation Attributes for Entries under cn=tasks
- nsTaskExitCode, Task Invocation Attributes for Entries under cn=tasks
- nsTaskLog, Task Invocation Attributes for Entries under cn=tasks
- nsTaskStatus, Task Invocation Attributes for Entries under cn=tasks
- ttl, Task Invocation Attributes for Entries under cn=tasks
- cn=abort cleanallruv, cn=abort cleanallruv
- cn=automember export updates, cn=automember export updates
- cn=automember map updates, cn=automember map updates
- cn=automember rebuild membership, cn=automember rebuild membership
- cn=cleanallruv, cn=cleanallruv
- entries, cn=tasks
- task invocation configuration entries, cn=tasks
- cn=backup, cn=backup
- cn=export, cn=export
- cn=import, Task Invocation Attributes for Entries under cn=tasks, cn=import
- cn=index, cn=index
- cn=restore, cn=restore
- cn=uniqueid generator
- object classes, cn=uniqueid generator
- uniqueid generator configuration entries, cn=uniqueid generator
- cn=UserRoot
- configuration, Configuration of Databases
- cn=USN tombstone cleanup task
- attributes
- backend, cn=USN tombstone cleanup task
- max_usn_to_delete, cn=USN tombstone cleanup task
- suffix, cn=USN tombstone cleanup task
- configuration entry, cn=USN tombstone cleanup task
- co, co (friendlyCountryName)
- command-line scripts, Command-Line Scripts
- finding and executing, Finding and Executing Command-Line Scripts
- location of perl scripts, Command-Line Scripts Quick Reference
- location of shell scripts, Command-Line Scripts Quick Reference
- migrate-ds-admin.pl, migrate-ds-admin.pl
- migrate-ds.pl, migrate-ds.pl
- perl scripts, Perl Scripts
- bak2db.pl , bak2db.pl (Restores a Database from Backup)
- cl-dump.pl , cl-dump.pl (Dumps and Decodes the Changelog)
- cleanallruv.pl, cleanallruv.pl (Cleans RUV data)
- db2bak.pl, db2bak.pl (Creates a Backup of a Database)
- db2index.pl , db2index.pl (Creates and Generates Indexes)
- db2ldif.pl , db2ldif.pl (Exports Database Contents to LDIF)
- fixup-linkedattrs.pl, fixup-linkedattrs.pl (Regenerate Linked and Managed Attributes)
- fixup-memberof.pl, fixup-memberof.pl (Regenerate memberOf Attributes)
- ldif2db.pl , ldif2db.pl (Import)
- ns-accountstatus.pl , ns-accountstatus.pl (Establishes Account Status)
- ns-activate.pl , ns-activate.pl (Activates an Entry or Group of Entries)
- ns-inactivate.pl , ns-inactivate.pl (Inactivates an Entry or Group of Entries)
- ns-newpwpolicy.pl , ns-newpwpolicy.pl (Adds Attributes for Fine-Grained Password Policy)
- repl-monitor.pl , repl-monitor.pl (Monitors Replication Status)
- schema-reload.pl , schema-reload.pl (Reload Schema Files Dynamically)
- syntax-validate.pl, syntax-validate.pl (Validate Attribute Values)
- usn-tombstone-cleanup.pl, usn-tombstone-cleanup.pl (Remove Deleted Entries)
- verify-db.pl , verify-db.pl (Check for Corrupt Databases)
- quick reference, Command-Line Scripts Quick Reference
- register-ds-admin.pl, register-ds-admin.pl
- remove-ds-admin.pl, remove-ds-admin.pl
- remove-ds.pl, remove-ds.pl
- setup-ds-admin.pl, setup-ds-admin.pl
- setup-ds.pl, setup-ds.pl
- shell scripts, Shell Scripts
- bak2db, bak2db (Restores a Database from Backup)
- cl-dump , cl-dump (Dumps and Decodes the Changelog)
- db2bak , db2bak (Creates a Backup of a Database)
- db2index , db2index (Reindexes Database Index Files)
- db2ldif , db2ldif (Exports Database Contents to LDIF)
- dbverify, dbverify (Checks for Corrupt Databases)
- ldif2db, ldif2db (Import)
- ldif2ldap , ldif2ldap (Performs Import Operation over LDAP)
- monitor, monitor (Retrieves Monitoring Information)
- pwdhash , pwdhash (Prints Encrypted Passwords)
- repl-monitor, repl-monitor (Monitors Replication Status)
- restart-dirsrv , restart-dirsrv (Restarts the Directory Server)
- restart-ds-admin , restart-ds-admin (Restarts the Admin Server)
- restart-slapd , restart-slapd (Restarts the Directory Server)
- restoreconfg , restoreconfig (Restores Admin Server Configuration)
- saveconfig , saveconfig (Saves Admin Server Configuration)
- start-dirsrv , start-dirsrv (Starts the Directory Server)
- start-ds-admin , start-ds-admin (Starts the Admin Server)
- start-slapd , start-slapd (Starts the Directory Server)
- stop-dirsrv , stop-dirsrv (Stops the Directory Server)
- stop-ds-admin , stop-ds-admin (Stops the Admin Server)
- stop-slapd, stop-slapd (Stops the Directory Server)
- suffix2instance , suffix2instance (Maps a Suffix to a Backend Name)
- upgradednformat, upgradednformat
- vlvindex , vlvindex (Creates Virtual List View Indexes)
- command-line utilities
- dbmon.sh, dbmon.sh (Database Monitoring and Entry Cache Usage)
- dbscan, dbscan
- dn2rdn, dn2rdn
- ds_removal, ds_removal
- ldif, ldif
- configuration
- access control, Access Control for Configuration Entries
- accessing and modifying, Accessing and Modifying Server Configuration
- changing attributes, Changing Configuration Attributes
- cn=UserRoot, Configuration of Databases
- database-specific, Overview of the Directory Server Configuration
- o=NetscapeRoot, Configuration of Databases
- overview, Overview of the Directory Server Configuration
- plug-in functionality, Configuration of Plug-in Functionality
- configuration attributes
- changelog5 configuration attributes, cn=changelog5
- changing, Changing Configuration Attributes
- core server configuration attributes, Core Server Configuration Attributes Reference
- database link plug-in configuration attributes, Database Link Plug-in Attributes (Chaining Attributes)
- database plug-in configuration attributes, Database Plug-in Attributes
- encryption configuration attributes, cn=encryption
- mapping tree configuration attributes, cn=mapping tree
- monitoring configuration attributes, cn=monitor
- overview, Configuration Attributes
- plug-in functionality configuration attributes, List of Attributes Common to All Plug-ins
- plug-in functionality configuration attributes allowed by certain plug-ins, Attributes Allowed by Certain Plug-ins
- plug-in functionality configuration attributes common to all plug-ins, List of Attributes Common to All Plug-ins
- replication agreement configuration attributes, Replication Attributes under cn=ReplicationAgreementName,cn=replica,cn=suffixName,cn=mapping tree,cn=config
- replication configuration attributes, Replication Attributes under cn=replica,cn=suffixDN,cn=mapping tree,cn=config
- restrictions to modifying, Restrictions to Modifying Configuration Entries and Attributes
- retro changelog plug-in configuration attributes, Retro Changelog Plug-in Attributes
- rootdn access control plug-in configuration attributes, RootDN Access Control Plug-in Attributes
- SASL configuration attributes, cn=sasl
- SNMP configuration attributes, cn=SNMP
- suffix configuration attributes, Suffix Configuration Attributes under cn=suffixName
- synchronization agreement attributes, Synchronization Attributes under cn=syncAgreementName,cn=WindowsReplica,cn=suffixName,cn=mapping tree,cn=config
- task configuration attributes, cn=tasks
- cn=abort cleanallruv, cn=abort cleanallruv
- cn=automember export updates, cn=automember export updates
- cn=automember map updates, cn=automember map updates
- cn=automember rebuild membership, cn=automember rebuild membership
- cn=backup, cn=backup
- cn=cleanallruv, cn=cleanallruv
- cn=export, cn=export
- cn=fixup linked attributes, cn=fixup linked attributes
- cn=import, Task Invocation Attributes for Entries under cn=tasks, cn=import
- cn=index, cn=index
- cn=memberof task, cn=memberof task
- cn=restore, cn=restore
- cn=schema reload task, cn=schema reload task
- cn=syntax validate attributes, cn=syntax validate
- cn=USN tombstone cleanup task, cn=USN tombstone cleanup task
- uniqueid generator configuration attributes, cn=uniqueid generator
- configuration changes
- deleting core server configuration attributes, Deleting Configuration Attributes
- requiring server restart, Configuration Changes Requiring Server Restart
- configuration entries
- modifying using LDAP, Modifying Configuration Entries Using LDAP
- restrictions to modifying, Restrictions to Modifying Configuration Entries and Attributes
- configuration files, Configuration Files
- location of, Accessing and Modifying Server Configuration
- configuration information tree
- dse.ldif file, Core Server Configuration Attributes Reference
- connection attribute, cn=monitor
- connection code, Common Connection Codes
- copiedFrom, copiedFrom, copyingFrom
- core configuration attributes
- passwordAllowChangeTime, passwordAllowChangeTime
- passwordExpirationTime, passwordExpirationTime
- passwordExpWarned, passwordExpWarned
- retryCountResetTime, retryCountResetTime
- core server configuration attributes
- backend, cn=USN tombstone cleanup task
- backendMonitorDN, cn=monitor
- basedn, cn=memberof task, cn=syntax validate, cn=automember rebuild membership, cn=automember export updates
- bytessent, cn=monitor
- cn, cn, Task Invocation Attributes for Entries under cn=tasks
- connection, cn=monitor
- currentconnection, cn=monitor
- currenttime, cn=monitor
- deleting, Deleting Configuration Attributes
- description, description
- dtablesize, cn=monitor
- entriessent, cn=monitor
- filter, cn=memberof task, cn=syntax validate, cn=automember rebuild membership, cn=automember export updates
- ldif, cn=automember export updates
- ldif_in, cn=automember map updates
- ldif_out, cn=automember map updates
- linkdn, cn=fixup linked attributes
- max_usn_to_delete, cn=USN tombstone cleanup task
- nbackends, cn=monitor
- nsArchiveDir, cn=backup, cn=restore
- nsDatabaseTypes, cn=backup, cn=restore
- nsDS50ruv, nsDS50ruv
- nsDS5BeginReplicaRefresh, nsDS5BeginReplicaRefresh
- nsDS5Flags, nsDS5Flags
- nsDS5ReplConflict, nsDS5ReplConflict
- nsDS5ReplicaBindDN, nsDS5ReplicaBindDN
- nsDS5ReplicaBindMethod, nsDS5ReplicaBindMethod
- nsDS5ReplicaBusyWaitTime, nsDS5ReplicaBusyWaitTime
- nsDS5ReplicaChangeCount, nsDS5ReplicaChangeCount
- nsDS5ReplicaChangesSentSinceStartup, nsDS5ReplicaChangesSentSinceStartup
- nsDS5ReplicaCredentials, nsDS5ReplicaCredentials
- nsds5ReplicaEnabled, nsds5ReplicaEnabled
- nsDS5ReplicaHost, nsDS5ReplicaHost
- nsDS5ReplicaID, nsDS5ReplicaId
- nsDS5ReplicaLastInitEnd, nsDS5ReplicaLastInitEnd
- nsDS5ReplicaLastInitStart, nsDS5ReplicaLastInitStart
- nsDS5ReplicaLastInitStatus, nsDS5ReplicaLastInitStatus
- nsDS5ReplicaLastUpdateEnd, nsDS5ReplicaLastUpdateEnd
- nsDS5ReplicaLastUpdateStart, nsDS5ReplicaLastUpdateStart
- nsDS5ReplicaLastUpdateStatus, nsDS5ReplicaLastUpdateStatus
- nsDS5ReplicaLegacyConsumer, nsDS5ReplicaLegacyConsumer
- nsDS5ReplicaName, nsDS5ReplicaName
- nsDS5ReplicaPort, nsDS5ReplicaPort
- nsDS5ReplicaPurgeDelay, nsDS5ReplicaPurgeDelay
- nsDS5ReplicaReapActive, nsDS5ReplicaReapActive
- nsDS5ReplicaReferral, nsDS5ReplicaReferral
- nsDS5ReplicaReleaseTimeout, nsDS5ReplicaReleaseTimeout
- nsDS5ReplicaRoot, nsDS5ReplicaRoot
- nsDS5ReplicaSessionPauseTime, nsDS5ReplicaSessionPauseTime
- nsds5ReplicaStripAttrs, nsds5ReplicaStripAttrs
- nsDS5ReplicatedAttributeList, nsDS5ReplicatedAttributeList
- nsDS5ReplicatedAttributeListTotal, nsDS5ReplicatedAttributeListTotal
- nsDS5ReplicaTimeout, nsDS5ReplicaTimeout
- nsDS5ReplicaTombstonePurgeInterval, nsDS5ReplicaTombstonePurgeInterval
- nsDS5ReplicaTransportInfo, nsDS5ReplicaTransportInfo
- nsDS5ReplicaType, nsDS5ReplicaType
- nsDS5ReplicaUpdateInProgress, nsDS5ReplicaUpdateInProgress
- nsDS5ReplicaUpdateSchedule, nsDS5ReplicaUpdateSchedule
- nsds5Task, nsds5Task
- nsDumpUniqId, cn=export
- nsExcludeSuffix, cn=import, cn=export
- nsExportReplica, cn=export
- nsFilename, cn=import, cn=export
- nsImportChunkSize, cn=import
- nsImportIndexAttrs, cn=import
- nsIncludeSuffix, cn=import, cn=export
- nsIndexAttribute, cn=index
- nsIndexVLVAttribute, cn=index
- nsInstance, cn=import, cn=export
- nsNoWrap, cn=export
- nsPrintKey, cn=export
- nsruvReplicaLastModified, nsruvReplicaLastModified
- nsSaslMapBaseDNTemplate, nsSaslMapBaseDNTemplate
- nsSaslMapFilterTemplate, nsSaslMapFilterTemplate
- nsSaslMapRegexString, nsSaslMapRegexString
- nsslapd-accesslog, nsslapd-accesslog (Access Log)
- nsslapd-accesslog-level, nsslapd-accesslog-level (Access Log Level)
- nsslapd-accesslog-list, nsslapd-accesslog-list (List of Access Log Files)
- nsslapd-accesslog-logbuffering, nsslapd-accesslog-logbuffering (Log Buffering)
- nsslapd-accesslog-logexpirationtime, nsslapd-accesslog-logexpirationtime (Access Log Expiration Time)
- nsslapd-accesslog-logexpirationtimeunit, nsslapd-accesslog-logexpirationtimeunit (Access Log Expiration Time Unit)
- nsslapd-accesslog-logging-enabled, nsslapd-accesslog-logging-enabled (Access Log Enable Logging)
- nsslapd-accesslog-logmaxdiskspace, nsslapd-accesslog-logmaxdiskspace (Access Log Maximum Disk Space)
- nsslapd-accesslog-logminfreediskspace, nsslapd-accesslog-logminfreediskspace (Access Log Minimum Free Disk Space)
- nsslapd-accesslog-logrotationsync-enabled, nsslapd-accesslog-logrotationsync-enabled (Access Log Rotation Sync Enabled)
- nsslapd-accesslog-logrotationsynchour, nsslapd-accesslog-logrotationsynchour (Access Log Rotation Sync Hour)
- nsslapd-accesslog-logrotationsyncmin, nsslapd-accesslog-logrotationsyncmin (Access Log Rotation Sync Minute)
- nsslapd-accesslog-logrotationtime, nsslapd-accesslog-logrotationtime (Access Log Rotation Time)
- nsslapd-accesslog-maxlogsize, nsslapd-accesslog-maxlogsize (Access Log Maximum Log Size)
- nsslapd-accesslog-maxlogsperdir, nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)
- nsslapd-accesslog-mode, nsslapd-accesslog-mode (Access Log File Permission)
- nsslapd-allow-anonymous-access, nsslapd-allow-anonymous-access
- nsslapd-allow-unauthenticated-binds, nsslapd-allow-unauthenticated-binds
- nsslapd-allowed-to-delete-attrs, nsslapd-allowed-to-delete-attrs
- nsslapd-anonlimitsdn, nsslapd-anonlimitsdn
- nsslapd-attribute-name-exceptions, nsslapd-attribute-name-exceptions
- nsslapd-auditlog-list, nsslapd-auditlog-list
- nsslapd-auditlog-logexpirationtime, nsslapd-auditlog-logexpirationtime (Audit Log Expiration Time)
- nsslapd-auditlog-logexpirationtimeunit, nsslapd-auditlog-logexpirationtimeunit (Audit Log Expiration Time Unit)
- nsslapd-auditlog-logging-enabled, nsslapd-auditlog-logging-enabled (Audit Log Enable Logging)
- nsslapd-auditlog-logmaxsdiskspace, nsslapd-auditlog-logmaxdiskspace (Audit Log Maximum Disk Space)
- nsslapd-auditlog-logminfreediskspace, nsslapd-auditlog-logminfreediskspace (Audit Log Minimum Free Disk Space)
- nsslapd-auditlog-logrotationsync-enabled, nsslapd-auditlog-logrotationsync-enabled (Audit Log Rotation Sync Enabled)
- nsslapd-auditlog-logrotationsynchour, nsslapd-auditlog-logrotationsynchour (Audit Log Rotation Sync Hour)
- nsslapd-auditlog-logrotationsyncmin, nsslapd-auditlog-logrotationsyncmin (Audit Log Rotation Sync Minute)
- nsslapd-auditlog-logrotationtime, nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)
- nsslapd-auditlog-logrotationtimeunit, nsslapd-auditlog-logrotationtimeunit (Audit Log Rotation Time Unit)
- nsslapd-auditlog-maxlogsize, nsslapd-auditlog-maxlogsize (Audit Log Maximum Log Size)
- nsslapd-auditlog-maxlogsperdir, nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)
- nsslapd-auditlog-mode, nsslapd-auditlog-mode (Audit Log File Permission)
- nsslapd-backend, nsslapd-backend
- nsslapd-bakdir, nsslapd-bakdir (Default Backup Directory)
- nsslapd-certmap-basedn, nsslapd-certmap-basedn (Certificate Map Search Base)
- nsslapd-changelogdir, nsslapd-changelogdir
- nsslapd-changelogmaxage, nsslapd-changelogmaxage (Max Changelog Age)
- nsslapd-changelogmaxconcurrentwrites, nsslapd-changelogmaxconcurrentwrites (Max Concurrent Rewrites)
- nsslapd-changelogmaxentries, nsslapd-changelogmaxentries (Max Changelog Records)
- nsslapd-config, nsslapd-config
- nsslapd-conntablesize, nsslapd-conntablesize
- nsslapd-counters, nsslapd-counters
- nsslapd-csnlogging, nsslapd-csnlogging
- nsslapd-defaultnamingcontext, nsslapd-defaultnamingcontext
- nsslapd-disk-monitoring, nsslapd-disk-monitoring
- nsslapd-disk-monitoring-grace-period, nsslapd-disk-monitoring-grace-period
- nsslapd-disk-monitoring-logging-critical, nsslapd-disk-monitoring-logging-critical
- nsslapd-disk-monitoring-threshold, nsslapd-disk-monitoring-threshold
- nsslapd-dn-validate-strict, nsslapd-dn-validate-strict
- nsslapd-ds4-compatible-schema, nsslapd-ds4-compatible-schema
- nsslapd-encryptionalgorithm, nsslapd-encryptionalgorithm (Encryption Algorithm)
- nsslapd-entryusn-import-initval, nsslapd-entryusn-import-initval
- nsslapd-errorlog, nsslapd-errorlog (Error Log)
- nsslapd-errorlog-level, nsslapd-errorlog-level (Error Log Level)
- nsslapd-errorlog-list, nsslapd-errorlog-list
- nsslapd-errorlog-logexpirationtime, nsslapd-errorlog-logexpirationtime (Error Log Expiration Time)
- nsslapd-errorlog-logexpirationtimeunit, nsslapd-errorlog-logexpirationtimeunit (Error Log Expiration Time Unit)
- nsslapd-errorlog-logging-enabled, nsslapd-errorlog-logging-enabled (Enable Error Logging)
- nsslapd-errorlog-logmaxdiskspace, nsslapd-errorlog-logmaxdiskspace (Error Log Maximum Disk Space)
- nsslapd-errorlog-logminfreediskspace, nsslapd-errorlog-logminfreediskspace (Error Log Minimum Free Disk Space)
- nsslapd-errorlog-logrotationsync-enabled, nsslapd-errorlog-logrotationsync-enabled (Error Log Rotation Sync Enabled)
- nsslapd-errorlog-logrotationsynchour, nsslapd-errorlog-logrotationsynchour (Error Log Rotation Sync Hour)
- nsslapd-errorlog-logrotationsyncmin, nsslapd-errorlog-logrotationsyncmin (Error Log Rotation Sync Minute)
- nsslapd-errorlog-logrotationtime, nsslapd-errorlog-logrotationtime (Error Log Rotation Time)
- nsslapd-errorlog-logrotationtimeunit, nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit)
- nsslapd-errorlog-maxlogsize, nsslapd-errorlog-maxlogsize (Maximum Error Log Size)
- nsslapd-errorlog-maxlogsperdir, nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files)
- nsslapd-errorlog-mode, nsslapd-errorlog-mode (Error Log File Permission)
- nsslapd-force-sasl-external, nsslapd-force-sasl-external
- nsslapd-groupvalnestlevel, nsslapd-groupevalnestlevel
- nsslapd-idletimeout, nsslapd-idletimeout (Default Idle Timeout)
- nsslapd-instancedir, nsslapd-instancedir (Instance Directory)
- nsslapd-ioblocktimeout, nsslapd-ioblocktimeout (IO Block Time Out)
- nsslapd-lastmod, nsslapd-lastmod (Track Modification Time)
- nsslapd-ldapiautobind, nsslapd-ldapiautobind (Enable Autobind)
- nsslapd-ldapientrysearchbase, nsslapd-ldapientrysearchbase (Search Base for LDAPI Authentication Entries)
- nsslapd-ldapifilepath, nsslapd-ldapifilepath (File Location for LDAPI Socket)
- nsslapd-ldapigidnumbertype, nsslapd-ldapigidnumbertype (Attribute Mapping for System GUID Number)
- nsslapd-ldapilisten, nsslapd-ldapilisten (Enable LDAPI)
- nsslapd-ldapimaprootdn, nsslapd-ldapimaprootdn (Autobind Mapping for Root User)
- nsslapd-ldapimaptoentries, nsslapd-ldapimaptoentries (Enable Autobind Mapping for Regular Users)
- nsslapd-ldapiuidnumbertype, nsslapd-ldapiuidnumbertype
- nsslapd-listen-backlog-size, nsslapd-listen-backlog-size
- nsslapd-listenhost, nsslapd-listenhost (Listen to IP Address)
- nsslapd-localhost, nsslapd-localhost (Local Host)
- nsslapd-localuser, nsslapd-localuser (Local User)
- nsslapd-malloc-mmap-threshold, nsslapd-malloc-mmap-threshold
- nsslapd-malloc-mxfast, nsslapd-malloc-mxfast
- nsslapd-malloc-trim-threshold, nsslapd-malloc-trim-threshold
- nsslapd-maxbersize, nsslapd-maxbersize (Maximum Message Size)
- nsslapd-maxdescriptors, nsslapd-maxdescriptors (Maximum File Descriptors)
- nsslapd-maxsasliosize, nsslapd-maxsasliosize (Maximum SASL Packet Size)
- nsslapd-maxthreadsperconn, nsslapd-maxthreadsperconn (Maximum Threads per Connection)
- nsslapd-minssf, nsslapd-minssf
- nsslapd-minssf-exclude-rootdse, nsslapd-minssf-exclude-rootdse
- nsslapd-nagle, nsslapd-nagle
- nsslapd-ndn-cache-enabled, nsslapd-ndn-cache-enabled
- nsslapd-ndn-cache-max-size, nsslapd-ndn-cache-max-size
- nsslapd-outbound-ldap-io-timeout, nsslapd-outbound-ldap-io-timeout
- nsslapd-pagedsizelimit, nsslapd-pagedsizelimit (Size Limit for Simple Paged Results Searches)
- nsslapd-plug-in, nsslapd-plug-in
- nsslapd-plugin-binddn-tracking, nsslapd-plugin-binddn-tracking
- nsslapd-port, nsslapd-port (Port Number)
- nsslapd-privatenamespaces, nsslapd-privatenamespaces
- nsslapd-pwpolicy-local, nsslapd-pwpolicy-local (Enable Subtree- and User-Level Password Policy)
- nsslapd-readonly, nsslapd-readonly (Read Only)
- nsslapd-referral, nsslapd-referral (Referral)
- nsslapd-referralmode, nsslapd-referralmode (Referral Mode)
- nsslapd-require-secure-binds, nsslapd-require-secure-binds
- nsslapd-requiresrestart, nsslapd-requiresrestart
- nsslapd-reservedescriptors, nsslapd-reservedescriptors (Reserved File Descriptors)
- nsslapd-return-exact-case, nsslapd-return-exact-case (Return Exact Case)
- nsslapd-rootdn, nsslapd-rootdn (Manager DN)
- nsslapd-rootpw, nsslapd-rootpw (Root Password)
- nsslapd-rootpwstoragescheme, nsslapd-rootpwstoragescheme (Root Password Storage Scheme)
- nsslapd-saslpath, nsslapd-saslpath
- nsslapd-schema-ignore-trailing-spaces, nsslapd-schema-ignore-trailing-spaces (Ignore Trailing Spaces in Object Class Names)
- nsslapd-schemacheck, nsslapd-schemacheck (Schema Checking)
- nsslapd-schemareplace, nsslapd-schemareplace
- nsslapd-securelistenhost, nsslapd-securelistenhost
- nsslapd-securePort, nsslapd-securePort (Encrypted Port Number)
- nsslapd-security, nsslapd-security (Security)
- nsslapd-sizelimit, nsslapd-sizelimit (Size Limit)
- nsslapd-ssl-check-hostname, nsslapd-ssl-check-hostname (Verify Hostname for Outbound Connections)
- nsslapd-state, nsslapd-state
- nsslapd-syntaxcheck, nsslapd-syntaxcheck
- nsslapd-syntaxlogging, nsslapd-syntaxlogging
- nsslapd-timelimit, nsslapd-timelimit (Time Limit)
- nsslapd-validate-cert, nsslapd-validate-cert
- nsslapd-versionstring, nsslapd-versionstring
- nsslapd-workingdir, nsslapd-workingdir
- nssnmpcontact, nssnmpcontact
- nssnmpdescription, nssnmpdescription
- nssnmpenabled, nssnmpenabled
- nssnmplocation, nssnmplocation
- nssnmpmasterhost, nssnmpmasterhost
- nssnmpmasterport, nssnmpmasterport
- nssnmporganization, nssnmporganization
- nsssl2 attribute, nsSSL2
- nsSSL2Ciphers attribute, nsSSL2Ciphers
- nsssl3 attribute, nsSSL3
- nsSSL3Ciphers attribute, nsSSL3Ciphers
- nsSSLClientAuth, nsSSLClientAuth (Client Authentication)
- nssslsessiontimeout attribute, nssslsessiontimeout
- nsState, nsState
- nsstate, cn=uniqueid generator
- nsSymmetricKey, nsSymmetricKey
- nsTaskCancel, Task Invocation Attributes for Entries under cn=tasks
- nsTaskCurrentItem, Task Invocation Attributes for Entries under cn=tasks
- nsTaskExitCode, Task Invocation Attributes for Entries under cn=tasks
- nsTaskLog, Task Invocation Attributes for Entries under cn=tasks
- nsTaskStatus, Task Invocation Attributes for Entries under cn=tasks
- nsTLS1 attribute, nsTLS1
- nsTLS10 attribute, nsTLS10
- nsTLS11 attribute, nsTLS11
- nsTLS12 attribute, nsTLS12
- nsUniqueIdGenerator, cn=import
- nsUniqueIdGeneratorNamespace, cn=import
- nsUseId2Entry, cn=export
- nsUseOneFile, cn=export
- opscompleted, cn=monitor
- opsinitiated, cn=monitor
- passwordCheckSyntax, passwordCheckSyntax (Check Password Syntax)
- passwordExp, passwordExp (Password Expiration)
- passwordHistory, passwordHistory (Password History)
- passwordInHistory, passwordInHistory (Number of Passwords to Remember)
- passwordLegacyPolicy, passwordLegacyPolicy
- passwordLockout, passwordLockout (Account Lockout)
- passwordLockoutDuration, passwordLockoutDuration (Lockout Duration)
- passwordMaxAge, passwordMaxAge (Password Maximum Age)
- passwordMaxFailure, passwordMaxFailure (Maximum Password Failures)
- passwordMinAge, passwordMinAge (Password Minimum Age)
- passwordMinLength, passwordMinLength (Password Minimum Length)
- passwordMustChange, passwordMustChange (Password Must Change)
- passwordResetDuration, passwordResetDuration
- passwordResetFailureCount, passwordResetFailureCount (Reset Password Failure Count After)
- passwordStorageScheme, passwordStorageScheme (Password Storage Scheme)
- passwordTrackUpdateTime, passwordTrackUpdateTime
- passwordUnlock, passwordUnlock (Unlock Account)
- passwordWarning, passwordWarning (Send Warning)
- readwaiters, cn=monitor
- replica-base-dn, cn=cleanallruv, cn=abort cleanallruv
- replica-certify-all, cn=abort cleanallruv
- replica-force-cleaning, cn=cleanallruv
- replica-id, cn=cleanallruv, cn=abort cleanallruv
- schemadir, cn=schema reload task
- scope, cn=automember rebuild membership, cn=automember export updates
- starttime, cn=monitor
- suffix, cn=USN tombstone cleanup task
- totalconnections, cn=monitor
- ttl, Task Invocation Attributes for Entries under cn=tasks
- cosAttribute, cosAttribute
- cosDefinition, cosDefinition
- cosIndirectDefinition, cosIndirectDefinition
- cosPointerDefinition, cosPointerDefinition
- cosPriority, cosPriority
- cosSpecifier, cosSpecifier
- cosSuperDefinition, cosSuperDefinition
- cosTargetTree, cosTargetTree
- cosTemplate, cosTemplate
- cosTemplateDn, cosTemplateDn
- country, country
- createTimestamp, createTimestamp
- creatorsName, creatorsName
- crossCertificatePair, crossCertificatePair
- currentconnections attribute, cn=monitor
- currentdncachecount, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- currentdncachesize, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- currentNormalizedDNcachecount attribute, Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- currentNormalizedDNcachesize attribute, Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- currenttime attribute, cn=monitor
D
- database
- exporting, db2ldif (Exports Database Contents to LDIF)
- reindexing index files, db2index (Reindexes Database Index Files)
- database encryption
- database files, Database Files
- database link plug-in configuration attributes
- nsAbandonCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsAbandonedSearchCheckInterval, nsAbandonedSearchCheckInterval
- nsActiveChainingComponents, nsActiveChainingComponents
- nsAddCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsBindConnectionCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsBindConnectionsLimit, nsBindConnectionsLimit
- nsBindCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsBindMechanism, nsBindMechanism
- nsBindRetryLimit, nsBindRetryLimit
- nsBindTimeout, nsBindTimeout
- nsCheckLocalACI, nsCheckLocalACI
- nsCompareCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsConcurrentBindLimit, nsConcurrentBindLimit
- nsConcurrentOperationsLimit, nsConcurrentOperationsLimit
- nsConnectionLife, nsConnectionLife
- nsDeleteCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsFarmServerURL, nsFarmServerURL
- nshoplimit, nshoplimit
- nsMaxResponseDelay, nsMaxResponseDelay
- nsMaxTestResponseDelay, nsMaxTestResponseDelay
- nsModifyCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsMultiplexorBindDN, nsMultiplexorBindDN
- nsMultiplexorCredentials, nsMultiplexorCredentials
- nsOperationConnectionCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsOperationConnectionsLimit, nsOperationConnectionsLimit
- nsProxiedAuthorization, nsProxiedAuthorization
- nsReferralOnScopedSearch, nsReferralOnScopedSearch
- nsRenameCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsSearchBaseCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsSearchOneLevelCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsSearchSubtreeCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsSizeLimit, nsSizeLimit
- nsslapd-changelogmaxage, nsslapd-changelogmaxage (Max Changelog Age)
- nsTimeLimit, nsTimeLimit
- nsTransmittedControls, nsTransmittedControls
- nsUndbindCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsUseStartTLS, nsUseStartTLS
- database plug-in configuration attributes
- cn, cn
- dbcachehitratio, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbcachehits, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbcachepagein, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbcachepageout, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbcacheroevict, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbcacherwevict, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbcachetries, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbfilecachehit, Database Attributes under cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
- dbfilecachemiss, Database Attributes under cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
- dbfilenamenumber, Database Attributes under cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
- dbfilepagein, Database Attributes under cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
- dbfilepageout, Database Attributes under cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
- nsIndexIDListScanLimit, nsIndexIDListScanLimit
- nsIndexType, nsIndexType
- nsMatchingRule, nsMatchingRule
- nsslapd-cache-autosize, nsslapd-cache-autosize
- nsslapd-cache-autosize-split, nsslapd-cache-autosize-split
- nsslapd-cachememsize, nsslapd-cachememsize
- nsslapd-cachesize, nsslapd-cachesize
- nsslapd-db-checkpoint-interval, nsslapd-db-checkpoint-interval
- nsslapd-db-circular-logging, nsslapd-db-circular-logging
- nsslapd-db-debug, nsslapd-db-debug
- nsslapd-db-durable-transactions, nsslapd-db-durable-transactions
- nsslapd-db-home-directory, nsslapd-db-home-directory
- nsslapd-db-idl-divisor, nsslapd-db-idl-divisor
- nsslapd-db-logbuf-size, nsslapd-db-logbuf-size
- nsslapd-db-logdirectory, nsslapd-db-logdirectory
- nsslapd-db-logfile-size, nsslapd-db-logfile-size
- nsslapd-db-page-size, nsslapd-db-page-size
- nsslapd-db-spin-count, nsslapd-db-spin-count
- nsslapd-db-transaction-batch-val, nsslapd-db-transaction-batch-val
- nsslapd-db-trickle-percentage, nsslapd-db-trickle-percentage
- nsslapd-db-verbose, nsslapd-db-verbose
- nsslapd-dbcachesize, nsslapd-dbcachesize
- nsslapd-dbncache, nsslapd-dbncache
- nsslapd-directory, nsslapd-directory, nsslapd-directory
- nsslapd-dncachememsize, nsslapd-dncachememsize
- nsslapd-exclude-from-export, nsslapd-exclude-from-export
- nsslapd-idlistscanlimit, nsslapd-idlistscanlimit
- nsslapd-import-cache-autosize, nsslapd-import-cache-autosize
- nsslapd-import-cachesize, nsslapd-import-cachesize
- nsslapd-lookthroughlimit, nsslapd-lookthroughlimit
- nsslapd-mode, nsslapd-mode
- nsslapd-pagedidlistscanlimit, nsslapd-pagedidlistscanlimit
- nsslapd-pagedlookthroughlimit, nsslapd-pagedlookthroughlimit
- nsslapd-rangelookthroughlimit, nsslapd-rangelookthroughlimit
- nsslapd-readonly, nsslapd-readonly
- nsslapd-require-index, nsslapd-require-index
- nsslapd-subtree-rename-switch, nsslapd-subtree-rename-switch
- nsslapd-suffix, nsslapd-suffix
- nsSubStrBegin, nsSubStrBegin
- nsSubStrEnd, nsSubStrEnd
- nsSubStrMiddle, nsSubStrMiddle
- nsSystemIndex, nsSystemIndex
- vlvBase, vlvBase
- vlvEnabled, vlvEnabled
- vlvFilter, vlvFilter
- vlvScope, vlvScope
- vlvSort, vlvSort
- vlvUses, vlvUses
- database plug-in monitoring attributes
- currentdncachecount, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- currentdncachesize, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- currentNormalizedDNcachecount, Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- currentNormalizedDNcachesize, Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- maxdncachesize, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- maxNormalizedDNcachesize, Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- normalizedDNcachehitratio , Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- normalizedDNcachehits, Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- normalizedDNcachemisses , Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- normalizedDNcachetries, Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-abort-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-active-txns, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-cache-hit, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-cache-region-wait-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-cache-size-bytes, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-cache-try, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-clean-pages, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-commit-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-deadlock-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-dirty-pages, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-hash-buckets, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-hash-elements-examine-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-hash-search-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-lock-conflicts, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-lock-region-wait-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-lock-request-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-lockers, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-log-bytes-since-checkpoint, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-log-region-wait-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-log-write-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-longest-chain-length, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-page-create-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-page-ro-evict-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-page-rw-evict-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-page-trickle-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-page-write-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-pages-in-use, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-txn-region-wait-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- database schema
- database-specific configuration
- location of, Overview of the Directory Server Configuration
- db.00x files, Database Files
- db2bak
- command-line shell script, db2bak (Creates a Backup of a Database)
- quick reference, Command-Line Scripts Quick Reference
- db2bak.pl
- command-line perl script, db2bak.pl (Creates a Backup of a Database)
- quick reference, Command-Line Scripts Quick Reference
- db2index, Utilities for Creating and Regenerating Indexes: db2index
- command-line shell script, db2index (Reindexes Database Index Files)
- quick reference, Command-Line Scripts Quick Reference
- db2index.pl
- command-line perl script, db2index.pl (Creates and Generates Indexes)
- quick reference, Command-Line Scripts Quick Reference
- db2ldif
- command-line shell script, db2ldif (Exports Database Contents to LDIF)
- quick reference, Command-Line Scripts Quick Reference
- db2ldif.pl
- command-line perl script, db2ldif.pl (Exports Database Contents to LDIF)
- quick reference, Command-Line Scripts Quick Reference
- dbcachehitratio attribute, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbcachehits attribute, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbcachepagein attribute, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbcachepageout attribute, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbcacheroevict attribute, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbcacherwevict attribute, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbcachetries attribute, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbfilecachehit attribute, Database Attributes under cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
- dbfilecachemiss attribute, Database Attributes under cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
- dbfilenamenumber attribute, Database Attributes under cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
- dbfilepagein attribute, Database Attributes under cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
- dbfilepageout attribute, Database Attributes under cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
- dbmon.sh command-line script
- dbscan command-line utility
- dbverify
- command-line shell script, dbverify (Checks for Corrupt Databases)
- quick reference, Command-Line Scripts Quick Reference
- dc, dc (domainComponent)
- dcObject, dcObject
- default schema, Default Directory Server Schema Files
- defaultNamingContext, defaultNamingContext
- deleteOldRdn, deleteOldRdn
- deleting
- core server configuration attributes, Deleting Configuration Attributes
- dse.ldif file, Deleting Configuration Attributes
- deltaRevocationList, deltaRevocationList
- departmentNumber, departmentNumber
- description, description
- description attribute, description
- destinationIndicator, destinationIndicator
- displayName, displayName
- distinguished names
- distributed numeric assignment
- plug-in configuration attributes, Distributed Numeric Assignment Plug-in Attributes
- distributed numeric assignment plug-in configuration attributes
- dnaFilter, dnaFilter
- dnaHostname, dnaHostname
- dnaInterval, dnaInterval
- dnaMagicRegen, dnaMagicRegen
- dnaMaxValue, dnaMaxValue
- dnaNextRange, dnaNextRange
- dnaNextValue, dnaNextValue
- dnaPortNum, dnaPortNum
- dnaPrefix, dnaPrefix
- dnaRangeRequestTimeout, dnaRangeRequestTimeout
- dnaRemainingValues, dnaRemainingValues
- dnaScope, dnaScope
- dnaSecurePortNum, dnaSecurePortNum
- dnaSharedCfgDN, dnaSharedCfgDN
- dnaThreshold, dnaThreshold
- dnaType, dnaType
- dITContentRules, dITContentRules
- dITRedirect, dITRedirect
- dITStructureRules, dITStructureRules
- dmdname, dmdName
- dn, dn (distinguishedName)
- dn2rdn command-line utility
- dNSRecord, dNSRecord
- documentAuthor, documentAuthor
- documentIdentifier, documentIdentifier
- documentLocation, documentLocation
- documentPublisher, documentPublisher
- documentStore, documentStore
- documentTitle, documentTitle
- documentVersion, documentVersion
- domainRelatedObject, domainRelatedObject
- drink, drink (favouriteDrink)
- ds-logpipe.py, Replacing Log Files with a Named Pipe, ds-logpipe.py
- example, ds-logpipe.py
- options, ds-logpipe.py
- syntax, ds-logpipe.py
- using plug-ins, Loading Plug-ins with the Named Pipe Log Script
- dSA, dSA
- dSAQuality, dSAQuality
- dse.ldif
- configuration information tree, Core Server Configuration Attributes Reference
- contents of, Overview of the Directory Server Configuration
- deleting attributes, Deleting Configuration Attributes
- editing, Configuration Changes Requiring Server Restart
- ldif files, LDIF and Schema Configuration Files
- dse.ldif.bak file, Overview of the Directory Server Configuration
- dse.ldif.startOK file, Overview of the Directory Server Configuration
- ds_removal
- quick reference, Command-Line Scripts Quick Reference
- ds_removal command-line script
- ds_removal command-line utility
- options, ds_removal
- syntax, ds_removal
- dtablesize attribute, cn=monitor
E
- editing
- dse.ldif file, Configuration Changes Requiring Server Restart
- employeeNumber, employeeNumber
- employeeType, employeeType
- encryption
- root password, nsslapd-rootpw (Root Password)
- specifying password storage scheme, passwordStorageScheme (Password Storage Scheme)
- encryption configuration attributes
- nsssl2, nsSSL2
- nsSSL2Ciphers, nsSSL2Ciphers
- nsssl3, nsSSL3
- nsSSL3Ciphers, nsSSL3Ciphers
- nssslsessiontimeout, nssslsessiontimeout
- nsTLS1, nsTLS1
- nsTLS10, nsTLS10
- nsTLS11, nsTLS11
- nsTLS12, nsTLS12
- encryption configuration entries
- cn=encryption, cn=encryption
- encryption method, for root password, nsslapd-rootpw (Root Password)
- enhancedSearchGuide, enhancedSearchGuide
- entriessent attribute, cn=monitor
- entrydn.db4 file, Database Files
- entryusn, entryusn
- error log
- contents
- format, Error Log Content
- LDAP result codes, LDAP Result Codes
- extending schema, Extending the Schema
F
- fax, fax (facsimileTelephoneNumber)
- files
- ancestorid.db4, Database Files
- entrydn.db4, Database Files
- id2entry.db4, Database Files
- locating configuration, Accessing and Modifying Server Configuration
- nsuniqueid.db4, Database Files
- numsubordinates.db4, Database Files
- objectclass.db4, Database Files
- parentid.db4, Database Files
- filter, cn=memberof task, cn=syntax validate, cn=automember rebuild membership, cn=automember export updates
- fixup-linkedattrs.pl
- command-line perl script, fixup-linkedattrs.pl (Regenerate Linked and Managed Attributes)
- quick reference, Command-Line Scripts Quick Reference
- related configuration entry, cn=fixup linked attributes
- fixup-memberof.pl
- quick reference, Command-Line Scripts Quick Reference
- related configuration entry, cn=memberof task
- fixup-memberof.pl.pl
- command-line perl script, fixup-memberof.pl (Regenerate memberOf Attributes)
- friendlyCountry, friendlyCountry
G
- gecos, gecos
- generationQualifier, generationQualifier
- gidNumber, gidNumber
- givenName, givenName
- groupOfCertificates, groupOfCertificates
- groupOfMailEnhancedUniqueNames, groupOfMailEnhancedUniqueNames
- groupOfNames, groupOfNames
- groupOfURLs, groupOfURLs
H
- homeDirectory, homeDirectory
- homePhone, homePhone
- homePostalAddress, homePostalAddress
- host, host
- houseIdentifier, houseIdentifier
I
- id2entry.db4 file, Database Files
- ieee802Device, ieee802Device
- Indexes
- configuration of, Configuration of Indexes
- inetAdmin, inetAdmin
- inetDomain, inetDomain
- inetDomainBaseDN, inetDomainBaseDN
- inetDomainStatus, inetDomainStatus
- inetOrgPerson, inetOrgPerson
- inetSubscriber, inetSubscriber
- inetSubscriberAccountId, inetSubscriberAccountId
- inetSubscriberChallenge, inetSubscriberChallenge
- inetSubscriberResponse, inetSubscriberResponse
- inetUser, inetUser
- inetUserHttpURL, inetUserHttpURL
- inetUserStatus, inetUserStatus
- info, info
- initials, initials
- installationTimeStamp, installationTimeStamp
- internalCreatorsName, internalCreatorsName
- internalModifiersName, internalModifiersName
- internationalISDNNumber, internationalISDNNumber
- ipHost, ipHost
- ipHostNumber, ipHostNumber
- ipNetmaskNumber, ipNetmaskNumber
- ipNetwork, ipNetwork
- ipNetworkNumber, ipNetworkNumber
- ipProtocol, ipProtocol
- ipProtocolNumber, ipProtocolNumber
- ipService, ipService
- ipServicePort, ipServicePort
- ipServiceProtocol, ipServiceProtocol
J
K
- keyWords, keyWords
L
- l, l (localityName)
- labeledURI, labeledURI
- labeledURIObject, labeledURIObject
- lastLoginTime, lastLoginTime
- lastModifiedBy, lastModifiedBy
- lastModifiedTime, lastModifiedTime
- LDAP
- modifying configuration entries, Modifying Configuration Entries Using LDAP
- LDAP Data Interchange Format (LDIF)
- binary data, ldif
- LDAP result codes, LDAP Result Codes
- ldapSyntaxes, ldapSyntaxes
- ldclt
- location, ldclt (Load Stress Tests)
- test script, ldclt (Load Stress Tests)
- ldif, cn=automember export updates
- ldif command-line utility
- LDIF configuration files
- contents of, How the Server Configuration Is Organized
- detailed contents of, LDIF and Schema Configuration Files
- location of, LDIF and Schema Configuration Files
- LDIF entries
- binary data in, ldif
- ldif files
- 00core.ldif, LDIF and Schema Configuration Files
- 01common.ldif, LDIF and Schema Configuration Files
- 05rfc2247.ldif, LDIF and Schema Configuration Files
- 05rfc2927.ldif, LDIF and Schema Configuration Files
- 10presence.ldif, LDIF and Schema Configuration Files
- 10rfc2307.ldif, LDIF and Schema Configuration Files
- 20subscriber.ldif, LDIF and Schema Configuration Files
- 25java-object.ldif, LDIF and Schema Configuration Files
- 28pilot.ldif, LDIF and Schema Configuration Files
- 30ns-common.ldif, LDIF and Schema Configuration Files
- 50ns-admin.ldif, LDIF and Schema Configuration Files
- 50ns-certificate.ldif, LDIF and Schema Configuration Files
- 50ns-directory.ldif, LDIF and Schema Configuration Files
- 50ns-mail.ldif, LDIF and Schema Configuration Files
- 50ns-value.ldif, LDIF and Schema Configuration Files
- 50ns-web.ldif, LDIF and Schema Configuration Files
- 99user.ldif, LDIF and Schema Configuration Files
- dse.ldif, LDIF and Schema Configuration Files
- LDIF files, LDIF Files
- ldif2db
- command-line shell script, ldif2db (Import)
- quick reference, Command-Line Scripts Quick Reference
- ldif2db.pl
- command-line perl script, ldif2db.pl (Import)
- quick reference, Command-Line Scripts Quick Reference
- ldif2ldap
- command-line shell script, ldif2ldap (Performs Import Operation over LDAP)
- quick reference, Command-Line Scripts Quick Reference
- ldif_in, cn=automember map updates
- ldif_out, cn=automember map updates
- linkdn, cn=fixup linked attributes
- linked attributes plug-in configuration attributes
- linkScope, linkScope
- linkType, linkType
- managedType, managedType
- locality, locality
- lock files, Lock Files
- log files, Log Files
- access, nsslapd-accesslog (Access Log)
- error, nsslapd-errorlog (Error Log)
- log.xxxxxxxxxx files, Database Files
- logconv.pl
- quick reference, Command-Line Scripts Quick Reference
- logconv.pl script, logconv.pl (Log Converter)
- options, logconv.pl (Log Converter)
- loginShell, loginShell
- logs
- named pipe script
- permanently configuring named pipe, Using the Named Pipe for Logging
- replacing with named pipe, Replacing Log Files with a Named Pipe
M
- macAddress, macAddress
- mail, mail
- mailAccessDomain, mailAccessDomain
- mailAlternateAddress, mailAlternateAddress
- mailGroup, mailGroup
- mailMessageStore, mailMessageStore
- mailPreferenceOption, mailPreferenceOption
- mailRecipient, mailRecipient
- managed entries plug-in configuration attributes
- managedBase, managedBase
- managedTemplate, managedTemplate
- originFilter, originFilter
- originScope, originScope
- manager, manager
- matchingRules, matchingRules
- matchingRuleUse, matchingRuleUse
- maxdncachesize, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- maxNormalizedDNcachesize attribute, Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- max_usn_to_delete, cn=USN tombstone cleanup task
- member, member
- memberCertificateDescription, memberCertificateDescription
- memberNisNetgroup, memberNisNetgroup
- memberOf, memberOf
- memberOf plug-in configuration attributes
- memberOfAllBackends, memberOfAllBackends
- memberOfAttr, memberOfAttr
- memberOfEntryScope, memberOfEntryScope
- memberOfEntryScopeExcludeSubtree, memberOfEntryScopeExcludeSubtree
- memberOfGroupAttr, memberOfGroupAttr
- memberUid, memberUid
- memberURL, memberURL
- mepManagedBy, mepManagedBy
- mepManagedEntry, mepManagedEntry, mepManagedEntry
- mepMappedAttr, mepMappedAttr
- mepOriginEntry, mepOriginEntry
- mepRDNAttr, mepRDNAttr
- mepStaticAttr, mepStaticAttr
- mepTemplateEntry, mepTemplateEntry
- Meta Directory changelog
- retro changelog, cn=changelog5
- migrate-ds-admin.pl
- quick reference, Command-Line Scripts Quick Reference
- migrate-ds-admin.pl command-line script
- options, migrate-ds-admin.pl
- syntax, migrate-ds-admin.pl
- migrate-ds.pl command-line script
- options, migrate-ds.pl
- syntax, migrate-ds.pl
- mobile, mobile
- modifiersName, modifiersName
- modifyTimestamp, modifyTimestamp
- modutil
- monitor
- command-line shell script, monitor (Retrieves Monitoring Information)
- quick reference, Command-Line Scripts Quick Reference
- mozillaCustom1, mozillaCustom1
- multi-master replication changelog
- changelog, cn=changelog5
N
- name, name
- named pipe log script
- configuring, Replacing Log Files with a Named Pipe
- named pipe logging script
- configuring in dse.ldif, Using the Named Pipe for Logging
- named pipe script
- using plug-ins, Loading Plug-ins with the Named Pipe Log Script
- nameForms, nameForms
- namingContexts, namingContexts
- nbackends attribute, cn=monitor
- netscapeCertificateServer, netscapeCertificateServer
- netscapeDirectoryServer, netscapeDirectoryServer
- NetscapeLinkedOrganization, NetscapeLinkedOrganization
- netscapeMachineData, netscapeMachineData
- NetscapePreferences, NetscapePreferences
- netscapeReversiblePasswordObject, netscapeReversiblePasswordObject
- netscapeServer, netscapeServer
- netscapeWebServer, netscapeWebServer
- newPilotPerson, newPilotPerson
- newRdn, newRdn
- newSuperior, newSuperior
- nisMap, nisMap
- nisNetgroup, nisNetgroup
- nisObject, nisObject
- normalizedDNcachehitratio attribute, Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- normalizedDNcachehits attribute, Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- normalizedDNcachemisses attribute, Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- normalizedDNcachetries attribute, Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- ns-accountstatus.pl
- command-line perl script, ns-accountstatus.pl (Establishes Account Status)
- quick reference, Command-Line Scripts Quick Reference
- ns-activate.pl
- command-line perl script, ns-activate.pl (Activates an Entry or Group of Entries)
- quick reference, Command-Line Scripts Quick Reference
- ns-inactivate.pl
- command-line perl script, ns-inactivate.pl (Inactivates an Entry or Group of Entries)
- quick reference, Command-Line Scripts Quick Reference
- ns-newpolicy.pl
- quick reference, Command-Line Scripts Quick Reference
- ns-newpwpolicy.pl
- command-line perl script, ns-newpwpolicy.pl (Adds Attributes for Fine-Grained Password Policy)
- ns-slapd command-line utilities
- archive2db, Utilities for Restoring and Backing up Databases: archive2db
- db2archive, Utilities for Restoring and Backing up Databases: db2archive
- db2index, Utilities for Creating and Regenerating Indexes: db2index
- db2ldif, Utilities for Exporting Databases: db2ldif
- finding and executing, Finding and Executing the ns-slapd Command-Line Utilities
- ldif2db, Utilities for Restoring and Backing up Databases: ldif2db
- nsAbandonCount attribute, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsAbandonedSearchCheckInterval attribute, nsAbandonedSearchCheckInterval
- nsActiveChainingComponents attribute, nsActiveChainingComponents
- nsAddCount attribute, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsAdminConfig, nsAdminConfig
- nsAdminConsoleUser, nsAdminConsoleUser
- nsAdminDomain, nsAdminDomain
- nsAdminGlobalParameters, nsAdminGlobalParameters
- nsAdminGroup, nsAdminGroup
- nsAdminObject, nsAdminObject
- nsAdminResourceEditorExtension, nsAdminResourceEditorExtension
- nsAdminServer, nsAdminServer
- nsAIMpresence, nsAIMpresence
- nsApplication, nsApplication
- nsArchiveDir, cn=backup, cn=restore
- nsAttributeEncryption, Database Attributes under cn=attributeName,cn=encrypted attributes,cn=database_name,cn=ldbm database,cn=plugins,cn=config, nsAttributeEncryption (Object Class)
- nsBindConnectionCount attribute, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsBindConnectionsLimit attribute, nsBindConnectionsLimit
- nsBindCount attribute, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsBindMechanism attribute, nsBindMechanism
- nsBindRetryLimit attribute, nsBindRetryLimit
- nsBindTimeout attribute, nsBindTimeout
- nsCertificateServer, nsCertificateServer
- nsCheckLocalACI attribute, nsCheckLocalACI
- nsCompareCount attribute, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsComplexRoleDefinition, nsComplexRoleDefinition
- nsConcurrentBindLimit attribute, nsConcurrentBindLimit
- nsConcurrentOperationsLimit attribute, nsConcurrentOperationsLimit
- nsConnectionLife attribute, nsConnectionLife
- nsCustomView, nsCustomView
- nsDatabaseTypes, cn=backup, cn=restore
- nsDefaultObjectClasses, nsDefaultObjectClasses
- nsDeleteCount attribute, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsDirectoryInfo, nsDirectoryInfo
- nsDirectoryServer, nsDirectoryServer
- nsDS50ruv attribute, nsDS50ruv
- nsDS5BeginReplicaRefresh attribute, nsDS5BeginReplicaRefresh
- nsDS5Flags attribute, nsDS5Flags
- nsDS5ReplConflict attribute, nsDS5ReplConflict
- nsDS5Replica, nsDS5Replica (Object Class)
- nsDS5ReplicaBindDN attribute, nsDS5ReplicaBindDN
- nsDS5ReplicaBindMethod attribute, nsDS5ReplicaBindMethod
- nsDS5ReplicaBusyWaitTime attribute, nsDS5ReplicaBusyWaitTime
- nsDS5ReplicaChangeCount attribute, nsDS5ReplicaChangeCount
- nsDS5ReplicaChangesSentSinceStartup attribute, nsDS5ReplicaChangesSentSinceStartup
- nsDS5ReplicaCredentials attribute, nsDS5ReplicaCredentials
- nsds5ReplicaEnabled attribute, nsds5ReplicaEnabled
- nsDS5ReplicaHost attribute, nsDS5ReplicaHost
- nsDS5ReplicaID attribute, nsDS5ReplicaId
- nsDS5ReplicaLastInitEnd attribute, nsDS5ReplicaLastInitEnd
- nsDS5ReplicaLastInitStart attribute, nsDS5ReplicaLastInitStart
- nsDS5ReplicaLastInitStatus attribute, nsDS5ReplicaLastInitStatus
- nsDS5ReplicaLastUpdateEnd attribute, nsDS5ReplicaLastUpdateEnd
- nsDS5ReplicaLastUpdateStart attribute, nsDS5ReplicaLastUpdateStart
- nsDS5ReplicaLastUpdateStatus attribute, nsDS5ReplicaLastUpdateStatus
- nsDS5ReplicaLegacyConsumer attribute, nsDS5ReplicaLegacyConsumer
- nsDS5ReplicaName attribute, nsDS5ReplicaName
- nsDS5ReplicaPort attribute, nsDS5ReplicaPort
- nsDS5ReplicaPurgeDelay attribute, nsDS5ReplicaPurgeDelay
- nsDS5ReplicaReapActive attribute, nsDS5ReplicaReapActive
- nsDS5ReplicaReferral attribute, nsDS5ReplicaReferral
- nsDS5ReplicaReleaseTimeout attribute, nsDS5ReplicaReleaseTimeout
- nsDS5ReplicaRoot attribute, nsDS5ReplicaRoot
- nsDS5ReplicaSessionPauseTime attribute, nsDS5ReplicaSessionPauseTime
- nsds5ReplicaStripAttrs attribute, nsds5ReplicaStripAttrs
- nsDS5ReplicatedAttributeList attribute, nsDS5ReplicatedAttributeList
- nsDS5ReplicatedAttributeListTotal attribute, nsDS5ReplicatedAttributeListTotal
- nsDS5ReplicaTimeout attribute, nsDS5ReplicaTimeout
- nsDS5ReplicationAgreement, nsDS5ReplicationAgreement (Object Class)
- nsDS5ReplicaTombstonePurgeInterval attribute, nsDS5ReplicaTombstonePurgeInterval
- nsDS5ReplicaTransportInfo attribute, nsDS5ReplicaTransportInfo
- nsDS5ReplicaType attribute, nsDS5ReplicaType
- nsDS5ReplicaUpdateInProgress attribute, nsDS5ReplicaUpdateInProgress
- nsDS5ReplicaUpdateSchedule attribute, nsDS5ReplicaUpdateSchedule
- nsds5Task attribute, nsds5Task
- nsds7DirectoryReplicaSubtree, nsds7DirectoryReplicaSubtree
- nsds7DirsyncCookie, nsds7DirsyncCookie
- nsds7NewWinGroupSyncEnabled, nsds7NewWinGroupSyncEnabled
- nsds7NewWinUserSyncEnabled, nsds7NewWinUserSyncEnabled
- nsds7WindowsDomain, nsds7WindowsDomain
- nsds7WindowsReplicaSubtree, nsds7WindowsReplicaSubtree
- nsDSWindowsReplicationAgreement, nsDSWindowsReplicationAgreement (Object Class)
- nsDumpUniqId, cn=export
- nsEncryptionAlgorithm, Database Attributes under cn=attributeName,cn=encrypted attributes,cn=database_name,cn=ldbm database,cn=plugins,cn=config
- nsEncryptionConfig, nsEncryptionConfig
- nsEncryptionModule, nsEncryptionModule
- nsExcludeSuffix, cn=import, cn=export
- nsExportReplica, cn=export
- nsFarmServerURL attribute, nsFarmServerURL
- nsFilename, cn=import, cn=export
- nsFilteredRoleDefinition, nsFilteredRoleDefinition
- nsGlobalParameters, nsGlobalParameters
- nshoplimit attribute, nshoplimit
- nsHost, nsHost
- nsICQpresence, nsICQpresence
- nsImportChunkSize, cn=import
- nsImportIndexAttrs, cn=import
- nsIncludeSuffix, cn=import, cn=export
- nsIndexAttribute, cn=index
- nsIndexIDListScanLimit attribute, nsIndexIDListScanLimit
- nsIndexType attribute, nsIndexType
- nsIndexVLVAttribute, cn=index
- nsInstance, cn=import, cn=export
- nsLicensedFor, nsLicensedFor
- nsLicenseEndTime, nsLicenseEndTime
- nsLicenseStartTime, nsLicenseStartTime
- nsLicenseUser, nsLicenseUser
- nsManagedRoleDefinition, nsManagedRoleDefinition
- nsMatchingRule attribute, nsMatchingRule
- nsMaxResponseDelay attribute, nsMaxResponseDelay
- nsMaxTestResponseDelay attribute, nsMaxTestResponseDelay
- nsMessagingServerUser, nsMessagingServerUser
- nsModifyCount attribute, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsMSNpresence, nsMSNpresence
- nsMultiplexorBindDN attribute, nsMultiplexorBindDN
- nsMultiplexorCredentials attribute, nsMultiplexorCredentials
- nsNestedRoleDefinition, nsNestedRoleDefinition
- nsNoWrap, cn=export
- nsnsPrintKey, cn=export
- nsOperationConnectionCount attribute, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsOperationConnectionsLimit attribute, nsOperationConnectionsLimit
- nsProxiedAuthorization attribute, nsProxiedAuthorization
- nsReferralOnScopedSearch attribute, nsReferralOnScopedSearch
- nsRenameCount attribute, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsResourceRef, nsResourceRef
- nsRole, nsRole
- nsRoleDefinition, nsRoleDefinition
- nsRoleDn, nsRoleDn
- nsRoleFilter, nsRoleFilter
- nsruvReplicaLastModified attribute, nsruvReplicaLastModified
- nsSaslMapBaseDNTemplate attribute, nsSaslMapBaseDNTemplate
- nsSaslMapFilterTemplate attribute, nsSaslMapFilterTemplate
- nsSaslMapping, nsSaslMapping (Object Class)
- nsSaslMapRegexString attribute, nsSaslMapRegexString
- nsSearchBaseCount attribute, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsSearchOneLevelCount attribute, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsSearchSubtreeCount attribute, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsSimpleRoleDefinition, nsSimpleRoleDefinition
- nsSizeLimit attribute, nsSizeLimit
- nsslapd-accesslog attribute, nsslapd-accesslog (Access Log)
- nsslapd-accesslog-level attribute, nsslapd-accesslog-level (Access Log Level)
- nsslapd-accesslog-list attribute, nsslapd-accesslog-list (List of Access Log Files)
- nsslapd-accesslog-logbuffering attribute, nsslapd-accesslog-logbuffering (Log Buffering)
- nsslapd-accesslog-logexpirationtime attribute, nsslapd-accesslog-logexpirationtime (Access Log Expiration Time)
- nsslapd-accesslog-logexpirationtimeunit attribute, nsslapd-accesslog-logexpirationtimeunit (Access Log Expiration Time Unit)
- nsslapd-accesslog-logging-enabled attribute, nsslapd-accesslog-logging-enabled (Access Log Enable Logging)
- nsslapd-accesslog-logmaxdiskspace attribute, nsslapd-accesslog-logmaxdiskspace (Access Log Maximum Disk Space)
- nsslapd-accesslog-logminfreediskspace attribute, nsslapd-accesslog-logminfreediskspace (Access Log Minimum Free Disk Space)
- nsslapd-accesslog-logrotationsync-enabled attribute, nsslapd-accesslog-logrotationsync-enabled (Access Log Rotation Sync Enabled)
- nsslapd-accesslog-logrotationsynchour attribute, nsslapd-accesslog-logrotationsynchour (Access Log Rotation Sync Hour)
- nsslapd-accesslog-logrotationsyncmin attribute, nsslapd-accesslog-logrotationsyncmin (Access Log Rotation Sync Minute)
- nsslapd-accesslog-logrotationtime attribute, nsslapd-accesslog-logrotationtime (Access Log Rotation Time)
- nsslapd-accesslog-maxlogsize attribute, nsslapd-accesslog-maxlogsize (Access Log Maximum Log Size)
- nsslapd-accesslog-maxlogsperdir attribute, nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)
- nsslapd-accesslog-mode attribute, nsslapd-accesslog-mode (Access Log File Permission)
- nsslapd-allow-anonmyous-access attribute, nsslapd-allow-anonymous-access
- nsslapd-allow-unauthenticated-binds attribute, nsslapd-allow-unauthenticated-binds
- nsslapd-allowed-to-delete-attrs attribute, nsslapd-allowed-to-delete-attrs
- nsslapd-anonlimitsdn attribute, nsslapd-anonlimitsdn
- nsslapd-attribute-name-exceptions attribute, nsslapd-attribute-name-exceptions
- nsslapd-auditlog-list attribute, nsslapd-auditlog-list
- nsslapd-auditlog-logexpirationtime attribute, nsslapd-auditlog-logexpirationtime (Audit Log Expiration Time)
- nsslapd-auditlog-logexpirationtimeunit attribute, nsslapd-auditlog-logexpirationtimeunit (Audit Log Expiration Time Unit)
- nsslapd-auditlog-logging-enabled attribute, nsslapd-auditlog-logging-enabled (Audit Log Enable Logging)
- nsslapd-auditlog-logmaxdiskspace attribute, nsslapd-auditlog-logmaxdiskspace (Audit Log Maximum Disk Space)
- nsslapd-auditlog-logminfreediskspace attribute, nsslapd-auditlog-logminfreediskspace (Audit Log Minimum Free Disk Space)
- nsslapd-auditlog-logrotationsync-enabled attribute, nsslapd-auditlog-logrotationsync-enabled (Audit Log Rotation Sync Enabled)
- nsslapd-auditlog-logrotationsynchour attribute, nsslapd-auditlog-logrotationsynchour (Audit Log Rotation Sync Hour)
- nsslapd-auditlog-logrotationsyncmin attribute, nsslapd-auditlog-logrotationsyncmin (Audit Log Rotation Sync Minute)
- nsslapd-auditlog-logrotationtime attribute, nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)
- nsslapd-auditlog-logrotationtimeunit attribute, nsslapd-auditlog-logrotationtimeunit (Audit Log Rotation Time Unit)
- nsslapd-auditlog-maxlogsize attribute, nsslapd-auditlog-maxlogsize (Audit Log Maximum Log Size)
- nsslapd-auditlog-maxlogsperdir attribute, nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)
- nsslapd-auditlog-mode attribute, nsslapd-auditlog-mode (Audit Log File Permission)
- nsslapd-backend attribute, nsslapd-backend
- nsslapd-bakdir attribute, nsslapd-bakdir (Default Backup Directory)
- nsslapd-cache-autosize attribute, nsslapd-cache-autosize
- nsslapd-cache-autosize-split attribute, nsslapd-cache-autosize-split
- nsslapd-cachememsize attribute, nsslapd-cachememsize
- nsslapd-cachesize attribute, nsslapd-cachesize
- nsslapd-certmap-basedn attribute, nsslapd-certmap-basedn (Certificate Map Search Base)
- nsslapd-changelogdir attribute, nsslapd-changelogdir
- nsslapd-changelogmaxage attribute, nsslapd-changelogmaxage (Max Changelog Age)
- nsslapd-changelogmaxconcurrentwrites attribute, nsslapd-changelogmaxconcurrentwrites (Max Concurrent Rewrites)
- nsslapd-changelogmaxentries attribute, nsslapd-changelogmaxentries (Max Changelog Records)
- nsslapd-config attribute, nsslapd-config
- nsslapd-conntablesize attribute, nsslapd-conntablesize
- nsslapd-counters attribute, nsslapd-counters
- nsslapd-csnlogging attribute, nsslapd-csnlogging
- nsslapd-db-abort-rate attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-active-txns attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-cache-hit attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-cache-region-wait-rate attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-cache-size-bytes attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-cache-try attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-checkpoint-interval attribute, nsslapd-db-checkpoint-interval
- nsslapd-db-circular-logging attribute, nsslapd-db-circular-logging
- nsslapd-db-clean-pages attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-commit-rate attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-deadlock-rate attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-debug attribute, nsslapd-db-debug
- nsslapd-db-dirty-pages attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-durable-transactions attribute, nsslapd-db-durable-transactions
- nsslapd-db-hash-buckets attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-hash-elements-examine-rate attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-hash-search-rate attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-home-directory attribute, nsslapd-db-home-directory
- nsslapd-db-idl-divisor attribute, nsslapd-db-idl-divisor
- nsslapd-db-lock-conflicts attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-lock-region-wait-rate attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-lock-request-rate attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-lockers attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-log-bytes-since-checkpoint attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-log-region-wait-rate attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-log-write-rate attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-logbuf-size attribute, nsslapd-db-logbuf-size
- nsslapd-db-logdirectory attribute, nsslapd-db-logdirectory
- nsslapd-db-logfile-size attribute, nsslapd-db-logfile-size
- nsslapd-db-longest-chain-length attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-page-create-rate attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-page-ro-evict-rate attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-page-rw-evict-rate attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-page-size attribute, nsslapd-db-page-size
- nsslapd-db-page-trickle-rate attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-page-write-rate attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-pages-in-use attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-spin-count attribute, nsslapd-db-spin-count
- nsslapd-db-transaction-batch-val attribute, nsslapd-db-transaction-batch-val
- nsslapd-db-trickle-percentage attribute, nsslapd-db-trickle-percentage
- nsslapd-db-txn-region-wait-rate attribute, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-verbose attribute, nsslapd-db-verbose
- nsslapd-dbcachesize attribute, nsslapd-dbcachesize
- nsslapd-dbncache attribute, nsslapd-dbncache
- nsslapd-defaultnamingcontext, nsslapd-defaultnamingcontext
- nsslapd-directory attribute, nsslapd-directory, nsslapd-directory
- nsslapd-disk-monitoring, nsslapd-disk-monitoring
- nsslapd-disk-monitoring-grace-period, nsslapd-disk-monitoring-grace-period
- nsslapd-disk-monitoring-logging-critical, nsslapd-disk-monitoring-logging-critical
- nsslapd-disk-monitoring-threshold, nsslapd-disk-monitoring-threshold
- nsslapd-dn-validate-strict, nsslapd-dn-validate-strict
- nsslapd-dncachememsize attribute, nsslapd-dncachememsize
- nsslapd-ds4-compatible-schema attribute, nsslapd-ds4-compatible-schema
- nsslapd-encryptionalgorithm, nsslapd-encryptionalgorithm (Encryption Algorithm)
- nsslapd-entryusn-import-initval attribute, nsslapd-entryusn-import-initval
- nsslapd-errorlog attribute, nsslapd-errorlog (Error Log)
- nsslapd-errorlog-level attribute, nsslapd-errorlog-level (Error Log Level)
- nsslapd-errorlog-list attribute, nsslapd-errorlog-list
- nsslapd-errorlog-logexpirationtime attribute, nsslapd-errorlog-logexpirationtime (Error Log Expiration Time)
- nsslapd-errorlog-logexpirationtimeunit attribute, nsslapd-errorlog-logexpirationtimeunit (Error Log Expiration Time Unit)
- nsslapd-errorlog-logging-enabled attribute, nsslapd-errorlog-logging-enabled (Enable Error Logging)
- nsslapd-errorlog-logmaxdiskspace attribute, nsslapd-errorlog-logmaxdiskspace (Error Log Maximum Disk Space)
- nsslapd-errorlog-logminfreediskspace attribute, nsslapd-errorlog-logminfreediskspace (Error Log Minimum Free Disk Space)
- nsslapd-errorlog-logrotationsync-enabled attribute, nsslapd-errorlog-logrotationsync-enabled (Error Log Rotation Sync Enabled)
- nsslapd-errorlog-logrotationsynchour attribute, nsslapd-errorlog-logrotationsynchour (Error Log Rotation Sync Hour)
- nsslapd-errorlog-logrotationsyncmin attribute, nsslapd-errorlog-logrotationsyncmin (Error Log Rotation Sync Minute)
- nsslapd-errorlog-logrotationtime attribute, nsslapd-errorlog-logrotationtime (Error Log Rotation Time)
- nsslapd-errorlog-logrotationtimeunit attribute, nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit)
- nsslapd-errorlog-maxlogsize attribute, nsslapd-errorlog-maxlogsize (Maximum Error Log Size)
- nsslapd-errorlog-maxlogsperdir attribute, nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files)
- nsslapd-errorlog-mode attribute, nsslapd-errorlog-mode (Error Log File Permission)
- nsslapd-exclude-from-export attribute, nsslapd-exclude-from-export
- nsslapd-force-sasl-external attribute, nsslapd-force-sasl-external
- nsslapd-groupvalnestlevel attribute, nsslapd-groupevalnestlevel
- nsslapd-idletimeout attribute, nsslapd-idletimeout (Default Idle Timeout)
- nsslapd-idlistscanlimit attribute, nsslapd-idlistscanlimit
- nsslapd-import-cache-autosize attribute, nsslapd-import-cache-autosize
- nsslapd-import-cachesize attribute, nsslapd-import-cachesize
- nsslapd-instancedir attribute, nsslapd-instancedir (Instance Directory)
- nsslapd-ioblocktimeout attribute, nsslapd-ioblocktimeout (IO Block Time Out)
- nsslapd-lastmod attribute, nsslapd-lastmod (Track Modification Time)
- nsslapd-ldapiautobind attribute, nsslapd-ldapiautobind (Enable Autobind)
- nsslapd-ldapientrysearchbase attribute, nsslapd-ldapientrysearchbase (Search Base for LDAPI Authentication Entries)
- nsslapd-ldapifilepath attribute, nsslapd-ldapifilepath (File Location for LDAPI Socket)
- nsslapd-ldapigidnumbertype attribute, nsslapd-ldapigidnumbertype (Attribute Mapping for System GUID Number)
- nsslapd-ldapilisten attribute, nsslapd-ldapilisten (Enable LDAPI)
- nsslapd-ldapimaprootdn attribute, nsslapd-ldapimaprootdn (Autobind Mapping for Root User)
- nsslapd-ldapimaptoentries attribute, nsslapd-ldapimaptoentries (Enable Autobind Mapping for Regular Users)
- nsslapd-ldapiuidnumbertype attribute, nsslapd-ldapiuidnumbertype
- nsslapd-listen-backlog-size attribute, nsslapd-listen-backlog-size
- nsslapd-listenhost attribute, nsslapd-listenhost (Listen to IP Address)
- nsslapd-localhost attribute, nsslapd-localhost (Local Host)
- nsslapd-localuser attribute, nsslapd-localuser (Local User)
- nsslapd-lookthroughlimit attribute, nsslapd-lookthroughlimit
- nsslapd-malloc-mmap-threshold attribute, nsslapd-malloc-mmap-threshold
- nsslapd-malloc-mxfast attribute, nsslapd-malloc-mxfast
- nsslapd-malloc-trim-threshold attribute, nsslapd-malloc-trim-threshold
- nsslapd-maxbersize attribute, nsslapd-maxbersize (Maximum Message Size)
- nsslapd-maxdescriptors attribute, nsslapd-maxdescriptors (Maximum File Descriptors)
- nsslapd-maxsasliosize attribute, nsslapd-maxsasliosize (Maximum SASL Packet Size)
- nsslapd-maxthreadsperconn attribute, nsslapd-maxthreadsperconn (Maximum Threads per Connection)
- nsslapd-minssf attribute, nsslapd-minssf
- nsslapd-minssf-exclude-rootdse attribute, nsslapd-minssf-exclude-rootdse
- nsslapd-mode attribute, nsslapd-mode
- nsslapd-nagle attribute, nsslapd-nagle
- nsslapd-ndn-cache-enabled attribute, nsslapd-ndn-cache-enabled
- nsslapd-ndn-cache-size attribute, nsslapd-ndn-cache-max-size
- nsslapd-outbound-ldap-io-timeout attribute, nsslapd-outbound-ldap-io-timeout
- nsslapd-pagedidlistscanlimit attribute, nsslapd-pagedidlistscanlimit
- nsslapd-pagedlookthroughlimit attribute, nsslapd-pagedlookthroughlimit
- nsslapd-pagedsizelimit attribute, nsslapd-pagedsizelimit (Size Limit for Simple Paged Results Searches)
- nsslapd-plug-in attribute, nsslapd-plug-in
- nsslapd-plugin-binddn-tracking attribute, nsslapd-plugin-binddn-tracking
- nsslapd-plugin-depends-on-named attribute, nsslapd-plugin-depends-on-named
- nsslapd-plugin-depends-on-type attribute, nsslapd-plugin-depends-on-type
- nsslapd-pluginConfigArea attribute, nsslapd-pluginConfigArea
- nsslapd-pluginDescription attribute, nsslapd-pluginDescription
- nsslapd-pluginEnabled attribute, nsslapd-pluginEnabled
- nsslapd-pluginId attribute, nsslapd-pluginId
- nsslapd-pluginInitFunc attribute, nsslapd-pluginInitfunc
- nsslapd-pluginLoadGlobal attribute, nsslapd-pluginLoadGlobal
- nsslapd-pluginLoadNow attribute, nsslapd-pluginLoadNow
- nsslapd-pluginPath attribute, nsslapd-pluginPath
- nsslapd-pluginPrecedence attribute, nsslapd-pluginPrecedence
- nsslapd-pluginType attribute, nsslapd-pluginType
- nsslapd-pluginVendor attribute, nsslapd-pluginVendor
- nsslapd-pluginVersion attribute, nsslapd-pluginVersion
- nsslapd-port attribute, nsslapd-port (Port Number)
- nsslapd-privatenamespaces attribute, nsslapd-privatenamespaces
- nsslapd-pwpolicy-local attribute, nsslapd-pwpolicy-local (Enable Subtree- and User-Level Password Policy)
- nsslapd-rangelookthroughlimit attribute, nsslapd-rangelookthroughlimit
- nsslapd-readonly attribute, nsslapd-readonly (Read Only)
- nsslapd-referral attribute, nsslapd-referral (Referral)
- nsslapd-referralmode attribute, nsslapd-referralmode (Referral Mode)
- nsslapd-require-index attribute, nsslapd-require-index
- nsslapd-require-secure-binds attribute, nsslapd-require-secure-binds
- nsslapd-requiresrestart attribute, nsslapd-requiresrestart
- nsslapd-reservedescriptors attribute, nsslapd-reservedescriptors (Reserved File Descriptors)
- nsslapd-return-exact-case attribute, nsslapd-return-exact-case (Return Exact Case)
- nsslapd-rootdn attribute, nsslapd-rootdn (Manager DN)
- nsslapd-rootpw attribute, nsslapd-rootpw (Root Password)
- nsslapd-rootpwstoragescheme attribute, nsslapd-rootpwstoragescheme (Root Password Storage Scheme)
- nsslapd-saslpath attribute, nsslapd-saslpath
- nsslapd-schema-ignore-trailing-spaces attribute, nsslapd-schema-ignore-trailing-spaces (Ignore Trailing Spaces in Object Class Names)
- nsslapd-schemacheck attribute, nsslapd-schemacheck (Schema Checking)
- nsslapd-schemareplace attribute, nsslapd-schemareplace
- nsslapd-securelistenhost attribute, nsslapd-securelistenhost
- nsslapd-securePort attribute, nsslapd-securePort (Encrypted Port Number)
- nsslapd-security attribute, nsslapd-security (Security)
- nsslapd-sizelimit attribute, nsslapd-sizelimit (Size Limit)
- nsslapd-ssl-check-hostname, nsslapd-ssl-check-hostname (Verify Hostname for Outbound Connections)
- nsslapd-state attribute, nsslapd-state
- nsslapd-subtree-rename-switch attribute, nsslapd-subtree-rename-switch
- nsslapd-suffix attribute, nsslapd-suffix
- nsslapd-syntaxcheck, nsslapd-syntaxcheck
- nsslapd-syntaxlogging, nsslapd-syntaxlogging
- nsslapd-timelimit attribute, nsslapd-timelimit (Time Limit)
- nsslapd-validate-cert attribute, nsslapd-validate-cert
- nsslapd-versionstring attribute, nsslapd-versionstring
- nsslapd-workingdir attribute, nsslapd-workingdir
- nssnmpcontact attribute, nssnmpcontact
- nssnmpdescription attribute, nssnmpdescription
- nssnmpenabled attribute, nssnmpenabled
- nssnmplocation attribute, nssnmplocation
- nssnmpmasterhost attribute, nssnmpmasterhost
- nssnmpmasterport attribute, nssnmpmasterport
- nssnmporganization attribute, nssnmporganization
- nsssl2 attribute, nsSSL2
- nsSSL2Ciphers attribute, nsSSL2Ciphers
- nsssl3 attribute, nsSSL3
- nsSSL3Ciphers attribute, nsSSL3Ciphers
- nsSSLClientAuth attribute, nsSSLClientAuth (Client Authentication)
- nssslsessiontimeout attribute, nssslsessiontimeout
- nsState attribute, nsState
- nsstate attribute, cn=uniqueid generator
- nsSubStrBegin attribute, nsSubStrBegin
- nsSubStrEnd attribute, nsSubStrEnd
- nsSubStrMiddle attribute, nsSubStrMiddle
- nsSymmetricKey, nsSymmetricKey
- nsSystemIndex attribute, nsSystemIndex
- nsTaskCancel, Task Invocation Attributes for Entries under cn=tasks
- nsTaskCurrentItem, Task Invocation Attributes for Entries under cn=tasks
- nsTaskExitCode, Task Invocation Attributes for Entries under cn=tasks
- nsTaskLog, Task Invocation Attributes for Entries under cn=tasks
- nsTaskStatus, Task Invocation Attributes for Entries under cn=tasks
- nsTimeLimit attribute, nsTimeLimit
- nsTLS1 attribute, nsTLS1
- nsTLS10 attribute, nsTLS10
- nsTLS11 attribute, nsTLS11
- nsTLS12 attribute, nsTLS12
- nsTransmittedControls attribute, nsTransmittedControls
- nsUnbindCount attribute, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsuniqueid.db4 file, Database Files
- nsUniqueIdGenerator, cn=import
- nsUniqueIdGeneratorNamespace, cn=import
- nsUseId2Entry, cn=export
- nsUseOneFile, cn=export
- nsUseStartTLS attribute, nsUseStartTLS
- nsYIMpresence, nsYIMpresence
- ntGroup, ntGroup
- ntGroupAttributes, ntGroupAttributes
- ntGroupDeleteGroup, ntGroupDeleteGroup
- ntGroupDomainId, ntGroupDomainId
- ntGroupId, ntGroupId
- ntGroupType, ntGroupType
- ntUniqueId, ntUniqueId
- ntUser, ntUser
- ntUserAcctExpires, ntUserAcctExpires
- ntUserAuthFlags, ntUserAuthFlags
- ntUserBadPwCount, ntUserBadPwCount
- ntUserCodePage, ntUserCodePage
- ntUserComment, ntUserComment
- ntUserCountryCode, ntUserCountryCode
- ntUserCreateNewAccount, ntUserCreateNewAccount
- ntUserDeleteAccount, ntUserDeleteAccount
- ntUserDomainId, ntUserDomainId
- ntUserFlags, ntUserFlags
- ntUserHomeDir, ntUserHomeDir
- ntUserHomeDirDrive, ntUserHomeDirDrive
- ntUserLastLogon, ntUserLastLogon
- ntUserLogonHours, ntUserLogonHours
- ntUserLogonServer, ntUserLogonServer
- ntUserMaxStorage, ntUserMaxStorage
- ntUserNumLogons, ntUserNumLogons
- ntUserParms, ntUserParms
- ntUserPasswordExpired, ntUserPasswordExpired
- ntUserPrimaryGroupId, ntUserPrimaryGroupId
- ntUserPriv, ntUserPriv
- ntUserProfile, ntUserProfile
- ntUserScriptPath, ntUserScriptPath
- ntUserUniqueId, ntUserUniqueId
- ntUserUnitsPerWeek, ntUserUnitsPerWeek
- ntUserUsrComment, ntUserUsrComment
- ntUserWorkstations, ntUserWorkstations
- numSubordinates, numSubordinates
- numsubordinates.db4 file, Database Files
O
- o, o (organizationName)
- o=NetscapeRoot
- configuration, Configuration of Databases
- object class
- allowed attributes, Required and Allowed Attributes
- cacheObject, cacheObject
- defined, Object Classes
- ieee802Device, ieee802Device
- inetAdmin, inetAdmin
- inetDomain, inetDomain
- inetSubscriber, inetSubscriber
- inetUser, inetUser
- inheritance, Object Class Inheritance
- required attributes, Required and Allowed Attributes
- object classes
- nsAttributeEncryption, nsAttributeEncryption (Object Class)
- nsSaslMapping, nsSaslMapping (Object Class)
- object identifiers (OIDs), Object Identifiers (OIDs)
- base OID for Directory Server, Object Identifiers (OIDs)
- base OID for Netscape, Object Identifiers (OIDs)
- base OID for Netscape-defined attributes, Object Identifiers (OIDs)
- base OID for Netscape-defined object classes, Object Identifiers (OIDs)
- objectClass, objectClass
- objectclass.db4 file, Database Files
- objectClasses, objectClasses
- obsoletedByDocument, obsoletedByDocument
- obsoletesDocument, obsoletesDocument
- oncRpc, oncRpc
- oncRpcNumber, oncRpcNumber
- oneWaySync, oneWaySync
- operational attributes
- accountUnlockTime, accountUnlockTime
- aci, aci
- altServer, altServer
- attributeTypes, attributeTypes
- copiedFrom, copiedFrom
- copyingFrom, copyingFrom
- createTimestamp, createTimestamp
- creatorsName, creatorsName
- defaultNamingContext, defaultNamingContext
- dITContentRules, dITContentRules
- dITStructureRules, dITStructureRules
- entryusn, entryusn
- internalCreatorsName, internalCreatorsName, internalModifiersName
- ldapSyntaxes, ldapSyntaxes
- matchingRules, matchingRules
- matchingRuleUse, matchingRuleUse
- modifiersName, modifiersName
- modifyTimestamp, modifyTimestamp
- nameForms, nameForms
- namingContexts, namingContexts
- nsRole, nsRole
- nsRoleDn, nsRoleDn
- nsRoleFilter, nsRoleFilter
- numSubordinates, numSubordinates
- passwordGraceUserTime, passwordGraceUserTime
- passwordRetryCount, passwordRetryCount
- pwdpolicysubentry, pwdpolicysubentry
- pwdUpdateTime, pwdUpdateTime
- subschemaSubentry, subschemaSubentry
- supportedControl, supportedControl
- supportedExtension, supportedExtension
- supportedFeatures, supportedFeatures
- supportedLDAPVersion, supportedLDAPVersion
- supportedSASLMechanisms, supportedSASLMechanisms
- opscompleted attribute, cn=monitor
- opsinitiated attribute, cn=monitor
- organization, organization
- organizationalPerson, organizationalPerson
- organizationalRole, organizationalRole
- organizationalStatus, organizationalStatus
- organizationalUnit, organizationalUnit
- otherMailbox, otherMailbox
- ou, ou (organizationalUnitName)
- owner, owner
P
- pager, pager
- PAM pass through auth
- plug-in configuration attributes, PAM Pass Through Auth Plug-in Attributes
- parentid.db4 file, Database Files
- parentOrganization, parentOrganization
- passswordLockoutDuration attribute, passwordLockoutDuration (Lockout Duration)
- passwordAllowChangeTime, passwordAllowChangeTime
- passwordChange attribute, passwordChange (Password Change)
- passwordCheckSyntax attribute, passwordCheckSyntax (Check Password Syntax)
- passwordExp attribute, passwordExp (Password Expiration)
- passwordExpirationTime, passwordExpirationTime
- passwordExpWarned, passwordExpWarned
- passwordGraceUserTime, passwordGraceUserTime
- passwordHistory attribute, passwordHistory (Password History)
- passwordInHistory attribute, passwordInHistory (Number of Passwords to Remember)
- passwordLegacyPolicy attribute, passwordLegacyPolicy
- passwordLockout attribute, passwordLockout (Account Lockout)
- passwordMaxAge attribute, passwordMaxAge (Password Maximum Age)
- passwordMaxFailure attribute, passwordMaxFailure (Maximum Password Failures)
- passwordMinAge attribute, passwordMinAge (Password Minimum Age)
- passwordMinLength attribute, passwordMinLength (Password Minimum Length)
- passwordMustChange attribute, passwordMustChange (Password Must Change)
- passwordObject, passwordObject (Object Class)
- passwordResetDuration attribute, passwordResetDuration
- passwordResetFailureCount attribute, passwordResetFailureCount (Reset Password Failure Count After)
- passwordRetryCount, passwordRetryCount
- passwords
- passwordStorageScheme attribute, passwordStorageScheme (Password Storage Scheme)
- passwordTrackUpdateTime attribute, passwordTrackUpdateTime
- passwordUnlock attribute, passwordUnlock (Unlock Account)
- passwordWarning attribute, passwordWarning (Send Warning)
- perl scripts, Perl Scripts
- locating, Command-Line Scripts Quick Reference
- permissions
- specifying for index files, nsslapd-mode
- person, person
- personalSignature, personalSignature
- personalTitle, personalTitle
- photo, photo
- physicalDeliveryOfficeName, physicalDeliveryOfficeName
- pilotObject, pilotObject
- pilotOrganization, pilotOrganization
- pkiCA, pkiCA
- pkiUser, pkiUser
- plug-in functionality configuration attributes
- altstateattrname, altstateattrname
- alwaysRecordLogin, alwaysRecordLogin
- autoMemberDefaultGroup, autoMemberDefaultGroup
- autoMemberDefinition, autoMemberDefinition (Object Class)
- autoMemberExclusiveRegex, autoMemberExclusiveRegex
- autoMemberFilter, autoMemberFilter
- autoMemberGroupingAttr, autoMemberGroupingAttr
- autoMemberInclusiveRegex, autoMemberInclusiveRegex
- autoMemberRegexRule, autoMemberRegexRule (Object Class)
- autoMemberScope, autoMemberScope
- autoMemberTargetGroup, autoMemberTargetGroup
- cn, cn
- dbcachehitratio, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbcachehits, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbcachepagein, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbcachepageout, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbcacheroevict, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbcacherwevict, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbcachetries, Database Attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
- dbfilecachehit, Database Attributes under cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
- dbfilecachemiss, Database Attributes under cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
- dbfilenamenumber, Database Attributes under cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
- dbfilepagein, Database Attributes under cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
- dbfilepageout, Database Attributes under cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
- dnaFilter, dnaFilter
- dnaHostname, dnaHostname
- dnaInterval, dnaInterval
- dnaMagicRegen, dnaMagicRegen
- dnaMaxValue, dnaMaxValue
- dnaNextRange, dnaNextRange
- dnaNextValue, dnaNextValue
- dnaPortNum, dnaPortNum
- dnaPrefix, dnaPrefix
- dnaRangeRequestTimeout, dnaRangeRequestTimeout
- dnaRemainingValues, dnaRemainingValues
- dnaScope, dnaScope
- dnaSecurePortNum, dnaSecurePortNum
- dnaSharedCfgDN, dnaSharedCfgDN
- dnaThreshold, dnaThreshold
- dnaType, dnaType
- isReplicated, isReplicated
- limitattrname, limitattrname
- linkScope, linkScope
- linkType, linkType
- managedBase, managedBase
- managedTemplate, managedTemplate
- managedType, managedType
- memberOfAllBackends, memberOfAllBackends
- memberOfAttr, memberOfAttr
- memberOfEntryScope, memberOfEntryScope
- memberOfEntryScopeExcludeSubtree, memberOfEntryScopeExcludeSubtree
- memberOfGroupAttr, memberOfGroupAttr
- nsAbandonCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsAbandonedSearchCheckInterval, nsAbandonedSearchCheckInterval
- nsActiveChainingComponents, nsActiveChainingComponents
- nsAddCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsBindConnectionCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsBindConnectionsLimit, nsBindConnectionsLimit
- nsBindCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsBindMechanism, nsBindMechanism
- nsBindRetryLimit, nsBindRetryLimit
- nsBindTimeout, nsBindTimeout
- nsCheckLocalACI, nsCheckLocalACI
- nsCompareCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsConcurrentBindLimit, nsConcurrentBindLimit
- nsConcurrentOperationsLimit, nsConcurrentOperationsLimit
- nsConnectionLife, nsConnectionLife
- nsDeleteCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsFarmServerURL, nsFarmServerURL
- nshoplimit, nshoplimit
- nsIndexIDListScanLimit, nsIndexIDListScanLimit
- nsIndexType, nsIndexType
- nsMatchingRule, nsMatchingRule
- nsMaxResponseDelay, nsMaxResponseDelay
- nsMaxTestResponseDelay, nsMaxTestResponseDelay
- nsModifyCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsMultiplexorBindDN, nsMultiplexorBindDN
- nsMultiplexorCredentials, nsMultiplexorCredentials
- nsOperationConnectionCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsOperationConnectionsLimit, nsOperationConnectionsLimit
- nsProxiedAuthorization, nsProxiedAuthorization
- nsReferralOnScopedSearch, nsReferralOnScopedSearch
- nsRenameCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsSearchBaseCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsSearchOneLevelCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsSearchSubtreeCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsSizeLimit, nsSizeLimit
- nsslapd-attribute, nsslapd-attribute
- nsslapd-cache-autosize, nsslapd-cache-autosize
- nsslapd-cache-autosize-split, nsslapd-cache-autosize-split
- nsslapd-cachememsize, nsslapd-cachememsize
- nsslapd-cachesize, nsslapd-cachesize
- nsslapd-changelogdir, nsslapd-changelogdir
- nsslapd-changelogmaxage, nsslapd-changelogmaxage (Max Changelog Age)
- nsslapd-db-checkpoint-interval, nsslapd-db-checkpoint-interval
- nsslapd-db-circular-logging, nsslapd-db-circular-logging
- nsslapd-db-debug, nsslapd-db-debug
- nsslapd-db-durable-transactions, nsslapd-db-durable-transactions
- nsslapd-db-home-directory, nsslapd-db-home-directory
- nsslapd-db-idl-divisor, nsslapd-db-idl-divisor
- nsslapd-db-logbuf-size, nsslapd-db-logbuf-size
- nsslapd-db-logdirectory, nsslapd-db-logdirectory
- nsslapd-db-logfile-size, nsslapd-db-logfile-size
- nsslapd-db-page-size, nsslapd-db-page-size
- nsslapd-db-spin-count, nsslapd-db-spin-count
- nsslapd-db-transaction-batch-val, nsslapd-db-transaction-batch-val
- nsslapd-db-trickle-percentage, nsslapd-db-trickle-percentage
- nsslapd-db-verbose, nsslapd-db-verbose
- nsslapd-dbcachesize, nsslapd-dbcachesize
- nsslapd-dbncache, nsslapd-dbncache
- nsslapd-directory, nsslapd-directory, nsslapd-directory
- nsslapd-dncachememsize, nsslapd-dncachememsize
- nsslapd-exclude-from-export, nsslapd-exclude-from-export
- nsslapd-idlistscanlimit, nsslapd-idlistscanlimit
- nsslapd-import-cache-autosize, nsslapd-import-cache-autosize
- nsslapd-import-cachesize, nsslapd-import-cachesize
- nsslapd-lookthroughlimit, nsslapd-lookthroughlimit
- nsslapd-mode, nsslapd-mode
- nsslapd-pagedidlistscanlimit, nsslapd-pagedidlistscanlimit
- nsslapd-pagedlookthroughlimit, nsslapd-pagedlookthroughlimit
- nsslapd-plugin-depends-on-named, nsslapd-plugin-depends-on-named
- nsslapd-plugin-depends-on-type, nsslapd-plugin-depends-on-type
- nsslapd-pluginConfigArea, nsslapd-pluginConfigArea
- nsslapd-pluginDescription, nsslapd-pluginDescription
- nsslapd-pluginEnabled, nsslapd-pluginEnabled
- nsslapd-pluginId, nsslapd-pluginId
- nsslapd-pluginInitFunc, nsslapd-pluginInitfunc
- nsslapd-pluginLoadGlobal, nsslapd-pluginLoadGlobal
- nsslapd-pluginLoadNow, nsslapd-pluginLoadNow
- nsslapd-pluginPath, nsslapd-pluginPath
- nsslapd-pluginPrecedence, nsslapd-pluginPrecedence
- nsslapd-pluginType, nsslapd-pluginType
- nsslapd-pluginVendor, nsslapd-pluginVendor
- nsslapd-pluginVersion, nsslapd-pluginVersion
- nsslapd-rangelookthroughlimit, nsslapd-rangelookthroughlimit
- nsslapd-readonly, nsslapd-readonly
- nsslapd-require-index, nsslapd-require-index
- nsslapd-subtree-rename-switch, nsslapd-subtree-rename-switch
- nsslapd-suffix, nsslapd-suffix
- nsSubStrBegin, nsSubStrBegin
- nsSubStrEnd, nsSubStrEnd
- nsSubStrMiddle, nsSubStrMiddle
- nsSystemIndex, nsSystemIndex
- nsTimeLimit, nsTimeLimit
- nsTransmittedControls, nsTransmittedControls
- nsUnbindCount, Database Link Attributes under cn=monitor,cn=database instance name,cn=chaining database,cn=plugins,cn=config
- nsUseStartTLS, nsUseStartTLS
- originFilter, originFilter
- originScope, originScope
- posixWinsyncCreateMemberOfTask, posixWinsyncCreateMemberOfTask
- posixWinsyncLowerCaseUID, posixWinsyncLowerCaseUID
- posixWinsyncMapMemberUID, posixWinsyncMapMemberUID
- posixWinsyncMapNestedGrouping, posixWinsyncMapNestedGrouping
- posixWinsyncMsSFUSchema, posixWinsyncMsSFUSchema
- rootdn-allow-host, rootdn-allow-host
- rootdn-allow-ip, rootdn-allow-ip
- rootdn-close-time, rootdn-close-time
- rootdn-days-allowed, rootdn-days-allowed
- rootdn-deny-ip, rootdn-deny-ip
- rootdn-open-time, rootdn-open-time
- specattrname, specattrname
- stateattrname, stateattrname
- vlvBase, vlvBase
- vlvEnabled, vlvEnabled
- vlvFilter, vlvFilter
- vlvScope, vlvScope
- vlvSort, vlvSort
- vlvUses, vlvUses
- plug-in functionality monitoring attributes
- currentdncachecount, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- currentdncachesize, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- currentNormalizedDNcachecount, Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- currentNormalizedDNcachesize, Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- maxdncachesize, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- maxNormalizedDNcachesize , Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- normalizedDNcachehitratio, Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- normalizedDNcachehits, Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- normalizedDNcachemisses, Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- normalizedDNcachetries, Database Attributes under cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-abort-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-active-txns, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-cache-hit, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-cache-region-wait-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-cache-size-bytes, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-cache-try, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-clean-pages, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-commit-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-deadlock-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-dirty-pages, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-hash-buckets, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-hash-elements-examine-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-hash-search-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-lock-conflicts, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-lock-region-wait-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-lock-request-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-lockers, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-log-bytes-since-checkpoint, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-log-region-wait-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-log-write-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-longest-chain-length, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-page-create-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-page-ro-evict-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-page-rw-evict-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-page-trickle-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-page-write-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-pages-in-use, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- nsslapd-db-txn-region-wait-rate, Database Attributes under cn=monitor,cn=database,cn=ldbm database,cn=plugins,cn=config
- plug-ins
- configuration of, Overview of the Directory Server Configuration
- distributed number assignment plug-in, Distributed Numeric Assignment Plug-in
- Managed Entries plug-in, Managed Entries Plug-in
- memberOf plug-in, MemberOf Plug-in
- schema reload plug-in, Schema Reload Plug-in
- port numbers
- less than 1024, nsslapd-port (Port Number)
- posix winsync API plug-in configuration attributes
- posixWinsyncCreateMemberOfTask, posixWinsyncCreateMemberOfTask
- posixWinsyncLowerCaseUID, posixWinsyncLowerCaseUID
- posixWinsyncMapMemberUID, posixWinsyncMapMemberUID
- posixWinsyncMapNestedGrouping, posixWinsyncMapNestedGrouping
- posixWinsyncMsSFUSchema, posixWinsyncMsSFUSchema
- posixAccount, posixAccount
- posixGroup, posixGroup
- postalAddress, postalAddress
- postalCode, postalCode
- postOfficeBox, postOfficeBox
- preferredDeliveryMethod, preferredDeliveryMethod
- preferredLanguage, preferredLanguage
- preferredLocale, preferredLocale
- preferredTimeZone, preferredTimeZone
- presentationAddress, presentationAddress
- protocolInformation, protocolInformation
- pwdhash
- command-line shell script, pwdhash (Prints Encrypted Passwords)
- quick reference, Command-Line Scripts Quick Reference
- pwdpolicysubentry, pwdpolicysubentry
- pwdUpdateTime, pwdUpdateTime
R
- read-only monitoring configuration attributes
- backendMonitorDN, cn=monitor
- bytessent, cn=monitor
- connection, cn=monitor
- currentconnections, cn=monitor
- currenttime, cn=monitor
- dtablesize, cn=monitor
- entriessent, cn=monitor
- nbackends, cn=monitor
- opscompleted, cn=monitor
- opsinitiated, cn=monitor
- readwaiters, cn=monitor
- starttime, cn=monitor
- totalconnections, cn=monitor
- read-only monitoring configuration entries
- cn=monitor, cn=monitor
- readwaiters attribute, cn=monitor
- referral, referral
- register-ds-admin.pl
- quick reference, Command-Line Scripts Quick Reference
- register-ds-admin.pl command-line script
- options, register-ds-admin.pl
- syntax, register-ds-admin.pl
- registeredAddress, registeredAddress
- remove-ds-admin.pl
- quick reference, Command-Line Scripts Quick Reference
- remove-ds-admin.pl command-line script
- options, remove-ds-admin.pl
- syntax, remove-ds-admin.pl
- remove-ds.pl
- quick reference, Command-Line Scripts Quick Reference
- remove-ds.pl command-line script
- options, remove-ds.pl
- syntax, remove-ds.pl
- repl-monitor
- command-line shell script, repl-monitor (Monitors Replication Status)
- quick reference, Command-Line Scripts Quick Reference
- repl-monitor.pl
- command-line perl script, repl-monitor.pl (Monitors Replication Status)
- quick reference, Command-Line Scripts Quick Reference
- replica-base-dn, cn=cleanallruv, cn=abort cleanallruv
- replica-certify-all, cn=abort cleanallruv
- replica-force-cleaning, cn=cleanallruv
- replica-id, cn=cleanallruv, cn=abort cleanallruv
- replication agreement configuration attributes
- cn, cn
- description, description
- nsDS50ruv, nsDS50ruv
- nsDS5BeginReplicaRefresh, nsDS5BeginReplicaRefresh
- nsDS5ReplicaBindDN, nsDS5ReplicaBindDN
- nsDS5ReplicaBindMethod, nsDS5ReplicaBindMethod
- nsDS5ReplicaBusyWaitTime, nsDS5ReplicaBusyWaitTime
- nsDS5ReplicaChangesSentSinceStartup, nsDS5ReplicaChangesSentSinceStartup
- nsDS5ReplicaCredentials, nsDS5ReplicaCredentials
- nsds5ReplicaEnabled, nsds5ReplicaEnabled
- nsDS5ReplicaHost, nsDS5ReplicaHost
- nsDS5ReplicaLastInitEnd, nsDS5ReplicaLastInitEnd
- nsDS5ReplicaLastInitStart, nsDS5ReplicaLastInitStart
- nsDS5ReplicaLastInitStatus, nsDS5ReplicaLastInitStatus
- nsDS5ReplicaLastUpdateEnd, nsDS5ReplicaLastUpdateEnd
- nsDS5ReplicaLastUpdateStart, nsDS5ReplicaLastUpdateStart
- nsDS5ReplicaLastUpdateStatus, nsDS5ReplicaLastUpdateStatus
- nsDS5ReplicaPort, nsDS5ReplicaPort
- nsDS5ReplicaReapActive, nsDS5ReplicaReapActive
- nsDS5ReplicaRoot, nsDS5ReplicaRoot
- nsDS5ReplicaSessionPauseTime, nsDS5ReplicaSessionPauseTime
- nsds5ReplicaStripAttrs, nsds5ReplicaStripAttrs
- nsDS5ReplicatedAttributeList, nsDS5ReplicatedAttributeList
- nsDS5ReplicatedAttributeListTotal, nsDS5ReplicatedAttributeListTotal
- nsDS5ReplicaTimeout, nsDS5ReplicaTimeout
- nsDS5ReplicaTransportInfo, nsDS5ReplicaTransportInfo
- nsDS5ReplicaUpdateInProgress, nsDS5ReplicaUpdateInProgress
- nsDS5ReplicaUpdateSchedule, nsDS5ReplicaUpdateSchedule
- nsruvReplicaLastModified, nsruvReplicaLastModified
- object classes, Replication Attributes under cn=ReplicationAgreementName,cn=replica,cn=suffixName,cn=mapping tree,cn=config
- replication configuration attributes
- nsDS5Flags, nsDS5Flags
- nsDS5ReplConflict, nsDS5ReplConflict
- nsDS5ReplicaBindDN, nsDS5ReplicaBindDN
- nsDS5ReplicaChangeCount, nsDS5ReplicaChangeCount
- nsDS5ReplicaID, nsDS5ReplicaId
- nsDS5ReplicaLegacyConsumer, nsDS5ReplicaLegacyConsumer
- nsDS5ReplicaName, nsDS5ReplicaName
- nsDS5ReplicaPurgeDelay, nsDS5ReplicaPurgeDelay
- nsDS5ReplicaReferral, nsDS5ReplicaReferral
- nsDS5ReplicaReleaseTimeout, nsDS5ReplicaReleaseTimeout
- nsDS5ReplicaRoot, nsDS5ReplicaRoot
- nsDS5ReplicaTombstonePurgeInterval, nsDS5ReplicaTombstonePurgeInterval
- nsDS5ReplicaType, nsDS5ReplicaType
- nsds5Task, nsds5Task
- nsState, nsState
- object classes, Replication Attributes under cn=replica,cn=suffixDN,cn=mapping tree,cn=config
- residentialPerson, residentialPerson
- restart, restart-dirsrv (Restarts the Directory Server), restart-ds-admin (Restarts the Admin Server), restart-slapd (Restarts the Directory Server)
- restart-dirsrv
- command-line shell script, restart-dirsrv (Restarts the Directory Server)
- quick reference, Command-Line Scripts Quick Reference
- restart-ds-admin
- command-line shell script, restart-ds-admin (Restarts the Admin Server)
- quick reference, Command-Line Scripts Quick Reference
- restart-slapd
- command-line shell script, restart-slapd (Restarts the Directory Server)
- quick reference, Command-Line Scripts Quick Reference
- restarting server
- requirement for certain configuration changes, Configuration Changes Requiring Server Restart
- restoreconfig
- command-line shell script, restoreconfig (Restores Admin Server Configuration)
- quick reference, Command-Line Scripts Quick Reference
- retro changelog
- Meta Directory changelog, cn=changelog5
- retro changelog plug-in configuration attributes
- isReplicated, isReplicated
- nsslapd-attribute, nsslapd-attribute
- nsslapd-changelogdir, nsslapd-changelogdir
- retryCountResetTime, retryCountResetTime
- RFC822LocalPart, RFC822LocalPart
- roleOccupant, roleOccupant
- room, room
- roomNumber, roomNumber
- rootdn access control plug-in configuration attributes
- rootdn-allow-host, rootdn-allow-host
- rootdn-allow-ip, rootdn-allow-ip
- rootdn-close-time, rootdn-close-time
- rootdn-days-allowed, rootdn-days-allowed
- rootdn-deny-ip, rootdn-deny-ip
- rootdn-open-time, rootdn-open-time
- rsearch
- location, rsearch (Search Stress Tests)
- test script, rsearch (Search Stress Tests)
S
- SASL configuration attributes
- nsSaslMapBaseDNTemplate, nsSaslMapBaseDNTemplate
- nsSaslMapFilterTemplate, nsSaslMapFilterTemplate
- nsSaslMapRegexString, nsSaslMapRegexString
- SASL configuration entries
- cn=sasl, cn=sasl
- saveconfig
- command-line shell script, saveconfig (Saves Admin Server Configuration)
- quick reference, Command-Line Scripts Quick Reference
- schema
- checking, Schema Checking
- defined, Schema Definitions
- extending, Extending the Schema
- supported, Default Directory Server Schema Files
- schema-reload.pl, schema-reload.pl (Reload Schema Files Dynamically)
- quick reference, Command-Line Scripts Quick Reference
- related configuration entry, cn=schema reload task
- schemadir, cn=schema reload task
- scope, cn=automember rebuild membership, cn=automember export updates
- scripts, Command-Line Scripts
- location of perl scripts, Command-Line Scripts Quick Reference
- location of shell scripts, Command-Line Scripts Quick Reference
- perl scripts, Perl Scripts
- search operations
- limiting entries returned, nsslapd-sizelimit (Size Limit)
- limiting entries returned for paged searches, nsslapd-pagedsizelimit (Size Limit for Simple Paged Results Searches)
- setting time limits, nsslapd-timelimit (Time Limit)
- searchGuide, searchGuide
- sec-activate, sec-activate
- secretary, secretary
- seeAlso, seeAlso
- serialNumber, serialNumber
- server restart
- after configuration changes, Configuration Changes Requiring Server Restart
- setting the location of SASL plugins, nsslapd-saslpath
- setup-ds-admin.pl
- quick reference, Command-Line Scripts Quick Reference
- setup-ds-admin.pl command-line script
- options, setup-ds-admin.pl
- syntax, setup-ds-admin.pl
- setup-ds.pl
- quick reference, Command-Line Scripts Quick Reference
- setup-ds.pl command-line script
- options, setup-ds.pl
- syntax, setup-ds.pl
- shadowAccount, shadowAccount
- shadowExpire, shadowExpire
- shadowFlag, shadowFlag
- shadowInactive, shadowInactive
- shadowLastChange, shadowLastChange
- shadowMax, shadowMax
- shadowMin, shadowMin
- shadowWarning, shadowWarning
- simpleSecurityObject, simpleSecurityObject
- singleLevelQuality, singleLevelQuality
- slapd.conf file
- location of, Accessing and Modifying Server Configuration
- sn, sn (surname)
- SNMP configuration attributes
- nssnmpcontact, nssnmpcontact
- nssnmpdescription, nssnmpdescription
- nssnmpenabled, nssnmpenabled
- nssnmplocation, nssnmplocation
- nssnmpmasterhost, nssnmpmasterhost
- nssnmpmasterport, nssnmpmasterport
- nssnmporganization, nssnmporganization
- SNMP configuration entries
- cn=SNMP, cn=SNMP
- special attributes
- change, change
- changeLog, changeLog
- changeNumber, changeNumber
- changeTime, changeTime
- changeType, changeType
- deleteOldRdn, deleteOldRdn
- newRdn, newRdn
- newSuperior, newSuperior
- targetDn, targetDn
- special object classes
- changeLogEntry, changeLogEntry (Object Class)
- nsDS5Replica, nsDS5Replica (Object Class)
- nsDS5ReplicationAgreement, nsDS5ReplicationAgreement (Object Class)
- nsDSWindowsReplicationAgreement, nsDSWindowsReplicationAgreement (Object Class)
- passwordObject, passwordObject (Object Class)
- subschema, subschema (Object Class)
- st, st (stateOrProvinceName)
- start, start-dirsrv (Starts the Directory Server), start-ds-admin (Starts the Admin Server)
- start-dirsrv
- command-line shell script, start-dirsrv (Starts the Directory Server)
- quick reference, Command-Line Scripts Quick Reference
- start-ds-admin
- command-line shell script, start-ds-admin (Starts the Admin Server)
- quick reference, Command-Line Scripts Quick Reference
- start-slapd
- command-line shell script, start-slapd (Starts the Directory Server)
- quick reference, Command-Line Scripts Quick Reference
- starttime attribute, cn=monitor
- statistics
- from access logs, logconv.pl (Log Converter)
- stop, stop-dirsrv (Stops the Directory Server), stop-ds-admin (Stops the Admin Server)
- stop-dirsrv
- command-line shell script, stop-dirsrv (Stops the Directory Server)
- quick reference, Command-Line Scripts Quick Reference
- stop-ds-admin
- command-line shell script, stop-ds-admin (Stops the Admin Server)
- quick reference, Command-Line Scripts Quick Reference
- stop-slapd
- command-line shell script, stop-slapd (Stops the Directory Server)
- quick reference, Command-Line Scripts Quick Reference
- street, street
- strongAuthenticationUser, strongAuthenticationUser
- subject, subject
- subschema, subschema (Object Class)
- subschemaSubentry, subschemaSubentry
- subtreeMaximumQuality, subtreeMaximumQuality
- subtreeMinimumQuality, subtreeMinimumQuality
- suffix, cn=USN tombstone cleanup task
- suffix and replication configuration entries
- cn=mapping tree, cn=mapping tree
- suffix configuration attributes
- nsslapd-backend, nsslapd-backend
- nsslapd-state, nsslapd-state
- object classes, Suffix Configuration Attributes under cn=suffixName
- suffix2instance
- command-line shell script, suffix2instance (Maps a Suffix to a Backend Name)
- quick reference, Command-Line Scripts Quick Reference
- supported schema, Default Directory Server Schema Files
- supportedAlgorithms, supportedAlgorithms
- supportedApplicationContext, supportedApplicationContext
- supportedControl, supportedControl
- supportedExtension, supportedExtension
- supportedFeatures, supportedFeatures
- supportedLDAPVersion, supportedLDAPVersion
- supportedSASLMechanisms, supportedSASLMechanisms
- synchronization agreement attributes
- nsds7DirectoryReplicaSubtree, nsds7DirectoryReplicaSubtree
- nsds7DirsyncCookie, nsds7DirsyncCookie
- nsds7NewWinGroupSyncEnabled, nsds7NewWinGroupSyncEnabled
- nsds7NewWinUserSyncEnabled, nsds7NewWinUserSyncEnabled
- nsds7WindowsDomain, nsds7WindowsDomain
- nsds7WindowsReplicaSubtre, nsds7WindowsReplicaSubtree
- oneWaySync, oneWaySync
- winSyncInterval, winSyncInterval
- winSyncMoveAction, winSyncMoveAction
- syntax
- validation, Syntax Validation
- syntax-validate.pl
- command-line perl script, syntax-validate.pl (Validate Attribute Values)
- quick reference, Command-Line Scripts Quick Reference
- related configuration entry, cn=syntax validate
T
- targetDn, targetDn
- telephoneNumber, telephoneNumber
- teletexTerminalIdentifier, teletexTerminalIdentifier
- telexNumber, telexNumber
- test scripts
- ldclt, ldclt (Load Stress Tests)
- rsearch, rsearch (Search Stress Tests)
- title, title
- totalconnections attribute, cn=monitor
- trailing spaces in object class names, nsslapd-schema-ignore-trailing-spaces (Ignore Trailing Spaces in Object Class Names)
- ttl, Task Invocation Attributes for Entries under cn=tasks, ttl (TimeToLive)
U
- uid, uid (userID)
- uidNumber, uidNumber
- uniqueid generator configuration attributes
- nsstate, cn=uniqueid generator
- uniqueid generator configuration entries
- cn=uniqueid generator, cn=uniqueid generator
- uniqueIdentifier, uniqueIdentifier
- uniqueMember, uniqueMember
- updatedByDocument, updatedByDocument
- updatesDocument, updatesDocument
- upgradednformat
- command-line shell script, upgradednformat
- quick reference, Command-Line Scripts Quick Reference
- userCertificate, userCertificate
- userClass, userClass
- userPassword, userPassword
- userPKCS12, userPKCS12
- usn-tombstone-cleanup.pl
- command-line perl script, usn-tombstone-cleanup.pl (Remove Deleted Entries)
- quick reference, Command-Line Scripts Quick Reference
- related configuration entry, cn=USN tombstone cleanup task
V
- verify-db.pl
- command-line perl script, verify-db.pl (Check for Corrupt Databases)
- quick reference, Command-Line Scripts Quick Reference
- vlvBase attribute, vlvBase
- vlvEnabled attribute, vlvEnabled
- vlvFilter attribute, vlvFilter
- vlvindex
- command-line shell script, vlvindex (Creates Virtual List View Indexes)
- quick reference, Command-Line Scripts Quick Reference
- vlvScope attribute, vlvScope
- vlvSort attribute, vlvSort
- vlvUses attribute, vlvUses
W
- winSyncInterval, winSyncInterval
- winSyncMoveAction, winSyncMoveAction
X
- x121Address, x121Address
- x500UniqueIdentifier, x500UniqueIdentifier
Appendix D. Revision History
| Revision History | |||
|---|---|---|---|
| Revision 9.1-14 | Mon Jun 26, 2017 | ||
| |||
| Revision 9.1-13 | Mon May 29, 2017 | ||
| |||
| Revision 9.1-12 | Thu Mar 16, 2017 | ||
| |||
| Revision 9.1-11 | Fri Feb 24, 2017 | ||
| |||
| Revision 9.1-10 | Thu Dec 15, 2016 | ||
| |||
| Revision 9.1-9 | Wed Jun 22, 2016 | ||
| |||
| Revision 9.1-7 | Apr 19, 2016 | ||
| |||
| Revision 9.1-2 | March 8, 2013 | ||
| |||
| Revision 9.1-1 | February 21, 2013 | ||
| |||
| Revision 9.0-3 | July 2, 2012 | ||
| |||
| Revision 9.0-1 | January 30, 2012 | ||
| |||
| Revision 9.0-0 | December 6, 2011 | ||
| |||
